the department of defense (dod) cybersecurity maturity ... · shared as is in full, in any form or...

The Department of Defense (DoD)Cybersecurity Maturity Model Certification (CMMC)

How the HITRUST Approach can help organizations demonstrate compliance with and obtain certification under the DoD CMMC program

June 2020

v.HT-149-01 © 2020 HITRUST All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be reproduced or utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior written permission.

Since 2007, HITRUST® has delivered solutions that solve problems associated with the lack of a common set of information security

and privacy controls needed to safeguard sensitive information and privacy. HITRUST solutions include:

1. The HITRUST CSF®, which is an industry-leading information security and privacy control framework that incorporates

multiple regulatory requirements, industry best practice standards, and other frameworks;

2. The HITRUST CSF Assurance Program®, a standardized methodology to effectively and consistently measuring compliance

and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable

efficiencies and cost-containment; and

3. The HITRUST MyCSF® tool, which is a subscription-based service that allows clients to retain their assessment data to

eliminate the need for redundant (internal or assessor) data-entry tasks for interim assessments and subsequent external

assessments, saving organizations hundreds of hours and thousands of dollars on a two-year assessment cycle.

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s new cybersecurity maturity model, which measures

cybersecurity maturity across 17 domains and aligns with a set of cybersecurity processes and practices. The CMMC framework provides a

benchmark against which an organization can evaluate their current level of capability of processes, practices, and methods. The CMMC

adds a certification requirement to verify the implementation of CMMC practices and capabilities associated with the achievement of a

cybersecurity maturity level.

The overall structure of the HITRUST CSF and the HITRUST CSF Assurance Program’s approaches to evaluating control maturity are like the

approach used in the CMMC model. While similarities allow HITRUST to support CMMC certification, it is the differences between the two

approaches that uniquely positions organizations utilizing HITRUST to operationalize CMMC as part of their existing information protection

program and quickly assess CMMC Practice and Process maturity with accuracy and precision. This document provides an in-depth analysis

of the HITRUST Approach™ and the CMMC framework model to compare the two approaches to show how the HITRUST CSF exceeds the

CMMC requirements and can be leveraged to achieve CMMC compliance.

Executive Summary


Significant content on the HITRUST Approach was obtained from existing HITRUST resources and are indicated as cited. All content on the

CMMC model was obtained from CMMC documentation and are subject to copyright by Carnegie Mellon University (CMU) and the Johns

Hopkins University Applied Physics Laboratory (JHU APL).

The authors would like to thank executive leadership at HITRUST who reviewed the manuscript and, in particular, Ms. Nicole Tallman, our

Technical Writer at HITRUST, who reviewed the draft manuscript in painstaking detail and offered numerous comments and suggestions

for improvement.

Acknowledgements

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The HITRUST Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Control Framework-Based Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

The HITRUST CSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Framework Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Control Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Scoping and Tailoring the HITRUST CSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

The HITRUST CSF Assurance Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

HITRUST Assessment Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

HITRUST Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Support for the NIST Cybersecurity Famework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

The CMMC Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

CMMC Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

CMMC Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Support for the NIST Cybersecurity Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

HITRUST Support for CMMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

HITRUST CSF Controls and CMMC Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

HITRUST CSF Assurance and CMMC Process Maturity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Leveraging a HITRUST CSF Assessment to Support CMMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Final Thoughts/Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

About HITRUST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Appendix A − Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Appendix B − HITRUST CSF Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Appendix C − HITRUST CSF Assessment Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Appendix D − HITRUST Support for the NIST Cybersecurity Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Appendix E − CMMC Domains and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Appendix F − CMMC Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Appendix G − NIST Cybersecurity Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Appendix H – References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Table of Contents

List of FiguresFigure 1 . Risk Analysis Supporting Specification of the NIST Minimum Security Control Baselines . . . . . . . . . 7

Figure 2 . HITRUST Overlay of the NIST SP 800-53 Moderate Impact Control Baseline . . . . . . . . . . . . . . . . . . . . 9

Figure 3 . CMMC Model Framework (simplified hIerarchical view) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 4 . CMMC Levels and Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 5 . CMMC Levels and Associated Focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 6 . Structural Similarities Between the HITRUST and CMMC Approaches . . . . . . . . . . . . . . . . . . . . . . . . 23

Figure 7 . The HITRUST Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Figure 8 . HITRUST CSF Framework Structure - CSF Control Categories and Objectives . . . . . . . . . . . . . . . . . . 34

Figure 9 . HITRUST Support for the NIST Cybersecurity Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

List of TablesTable 1 . HITRUST CSF Control Categories (Number of Control Objectives, Number of Controls) . . . . . . . . . . . . 9

Table 2 . HITRUST CSF Control Structure - Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Table 3 . Predisposing Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Table 4 . HITRUST CSF Control Implementation Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Table 5 . HITRUST CSF Control Implementation Maturity Model Compliance Scale . . . . . . . . . . . . . . . . . . . . . 15

Table 6 . Assurance Criteria and Attributes of AICPA SOC2, HITRUST CSF, ISO 27001, and NIST SP 800-53 . . . 16

Table 7 . CMMC Maturity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Table 8 . Assurance Criteria and Attributes of CMMC and HITRUST CSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Table 9 . Structural Similarity Between the HITRUST CSF and the CMMC Model . . . . . . . . . . . . . . . . . . . . . . . 23

Table 10 . HITRUST CSF Risk Factors for the CMMC Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Table 11 . HITRUST CSF Assurance Program Support for the Evaluation of CMMC Process Maturity . . . . . . . . 25

Table 12 . Mapping of CMMC Domains to Plan-Related Controls in the HITRUST CSF . . . . . . . . . . . . . . . . . . . 26

Table 13 . HITRUST CSF Control Categories, Control Objectives, and Controls . . . . . . . . . . . . . . . . . . . . . . . . . 35

Table 14 . HITRUST CSF Control Implementation Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Table 15 . HITRUST Assessment Procedures by Maturity Level - Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Table 16 . Number of CMMC Practices by CMMC Domain and Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table 17 . CMMC Practices with Mappings to the NIST Cybersecurity Framework and HITRUST CSF . . . . . . . . 43

Table 18 . NIST Cybersecurity Framework Core Subcategories with Mappings to CMMC and HITRUST CSF . . 55

HITRUST and the DoD CMMC 6<< Back to Contents


Introduction The theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity threatens

economic security and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S.

economy between $57 billion and $109 billion in 2016i. The Center for Strategic and International Studies estimates that the

total global cost of cybercrime was as high as $600 billion in 2017.ii

Malicious cyber actors have targeted and continue to target the Defense Industrial Base (DIB) sector and the supply chain of

the Department of Defense (DoD). The DIB sector consists of over 300,000 companies that support the warfighter and contribute

towards the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems,

networks, installations, capabilities, and services. The aggregate loss of intellectual property and certain unclassified information from

the DoD supply chain can undercut U.S. technical advantages and innovation as well as significantly increase risk to national security.

As part of multiple lines of effort focused on the security and resiliency of the DIB sector, the DoD [worked] with industry to

enhance the protection of … Federal Contract Information (FCI) … [and] Controlled Unclassified Information (CUI).

Towards this end, the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) … developed the Cybersecurity

Maturity Model Certification (CMMC)iii framework in concert with DoD stakeholders, University Affiliated Research Centers

(UARCs), Federally Funded Research and Development Centers (FFRDCs), and the DIB sector.iv

The CMMC is the DoD’s new cybersecurity maturity model intended to help organizations protect FCI and CUI and defend the DIB.

As its name suggests, CMMC provides a mechanism for formal certification of an organization’s cybersecurity maturity, and the DoD

expects organizations that receive FCI and CUI to achieve certification by 2025.

However, the CMMC does not provide the underlying activities or controls needed to meet the objectives specified by CMMC

Practices, nor does it provide guidance on how organizations can integrate CMMC requirements into their existing cybersecurity

programs. This paper shows how the HITRUST Approach supports CMMC while demonstrating an appropriate level of due diligence

and due care for the protection of FCI and CUI, and how organizations can:

• Integrate CMMC requirements into their existing cybersecurity programs,

• Demonstrate compliance with CMMC requirements using a HITRUST CSF Validated Assessment, and

• Support attestations of compliance with a HITRUST CSF Validated Assessment Report.



The HITRUST Approach Effectively managing data, information risk, and compliance is complex and ever-changing. There are many components and

considerations in developing and implementing a robust program that encompasses and integrates all the elements needed to manage

this risk and achieve one’s compliance objectives effectively. Many organizations believe selecting their information risk management

framework is the most complicated part of the process, and although important, it is just the beginning. The HITRUST Approachv

provides organizations a comprehensive information risk management and compliance program to provide an integrated approach

that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and

compliance objectives.1

Control Framework-Based Risk Analysis

The first step in any risk management process is a risk analysis, which is used to determine an organization’s overall risk, develop a risk

management strategy, and identify a reasonable and appropriate set of controls designed to mitigate its risk to an acceptable level.

Unfortunately, a traditional ‘textbook’ approach to risk analysis, such as the one outlined by the National Institute of Standards and

Technology (NIST)vi, can be difficult—if not impossible—for many organizations to perform.

Even U.S. Federal Agencies do not typically perform this type of risk analysis when deciding which controls to implement. Instead, they

categorize their information systems based on identifying “one of three levels of potential impact on organizations or individuals should

there be a breach of security….”vii Agencies then simply select a security control baseline appropriate for the categorization.

This method of selecting security controls based on levels of impact is only possible because the risk analysis has already been performed

by NIST. Federal Agencies rely on NIST Special Publication (SP) 800-53,viii which was created after NIST conducted a general risk analysis

of a typical Federal Agency with typical threats to typical vulnerabilities of typical information assets and developed three security control

baselines to address the risk associated with three levels of potential impact: low, moderate, and high.2 This greatly simplifies the risk

analysis process, as depicted in Figure 1, and provides an ‘80 percent solution’ for control specification.3 Agencies are then expected to

further tailor the selected baseline to ensure any unique information protection requirements are addressed.

Figure 1. Risk Analysis Supporting Specification of the NIST Minimum Security Control Baselines

1 Portions of this section are taken or derived from other HITRUST documentation (as cited).2 Categorization is determined by the greatest impact to the organization from a loss of confidentiality, integrity, and availability (referred to as the “high-water mark”).3 In the vein of the ‘80/20’ or ‘Pareto Rule’, organizations can obtain a minimum security control baseline that will address a majority (‘80%’) of its risks for a relatively

small (‘20%’) effort from categorizing its information and information system(s).

ClassifyInformation

Assets

Inventory andCategorize

Assets

IdentifyAssets

AssessVulnerabilities

DetermineImpact

Assess andRank Risks

Develop RiskStrategies /

Plan



Although used extensively by Federal Agencies, any organization can leverage a NIST SP 800-53 baseline to satisfy a myriad of

requirements or even create its own overlay—essentially a formally documented set of justified modifications to a control baseline—by

going through the tailoring process. To create an overlay of a NIST SP 800-53 baseline:

• First, scale the controls by selecting an appropriate baseline from which to begin. This helps ensure time and effort are not

wasted on implementing controls that aren’t necessary for the level of risk mitigation required.

• Second, scope the scaled baseline by adding or enhancing controls, as needed, to address applicable regulatory, legal,

contractual, and other business-related requirements unique to your organization. Controls may also be removed based on

organizational and financial constraints; however, no control should be removed simply as a matter of convenience.

• Third, specify compensating controls for baseline controls that cannot be implemented, e.g., due to technical, architectural,

or financial reasons. Ensure the compensating controls address a similar type and amount of risk as the baseline controls

being replaced.

• Fourth, continue the tailoring process by reviewing the organization-defined parameters to ensure the values are consistent

with best practices and industry due care and due diligence requirements. Many NIST controls are not implementable as

written and require organizations to ‘fill in the blanks.’

• And finally, review the resulting overlay regularly, or otherwise as needed, to ensure the overlay continues to address extant

and emerging threats to your information assets.

Control overlays may be used to address the needs of a specific system or organizational element or a general type of information

system or organization, satisfy statutory or regulatory requirements, or address the needs of a partnership, coalition, industry, or sector.

Several public and private sector organizations already leverage the overlay concept to great benefit. For example, the Centers for

Medicare and Medicaid Services (CMS) produces an overlay of all three NIST SP 800-53 control baselines for their use and that of

their contractorsix and a separate overlay of the NIST SP 800-53 moderate impact control baseline for Health Insurance Exchanges

(HIXs).x The Federal Risk and Authorization Management Program (FedRAMP) also provides overlays of all three NIST SP 800-53 control

baselines for the certification of cloud products and services used by Federal Agencies.xi HITRUST also produces an overlay of the NIST

moderate impact baseline for use by any industry, domestic or international.xii

Regardless of whether a traditional or a control framework-based risk analysis approach is used to specify its controls, an organization

must generally implement all of the controls it specifies to mitigate risk to a level consistent with its strategic objectives, i.e., within its

appetite for risk. Failure to fully implement these controls can subsequently expose the organization to more risk than it is otherwise

willing to accept.

The HITRUST CSF

Widely used by industry, the HITRUST CSF is an information security and privacy framework developed specifically to provide

organizations the ability to address multiple, relevant regulatory and ‘best practice’ requirements for information security- and privacy-

related risk, including supply chain and other third-party risk.



Framework Structure

Structured similarly to International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

International Standard 27001xiii, the HITRUST CSF was built as a highly-tailored industry overlay of NIST SP 800-53 baseline controls

by integrating relevant regulatory requirements (e.g., the California Consumer Privacy Actxiv (CCPA), Health Insurance Portability

and Accountability Actxv (HIPAA), and General Data Protection Regulationxvi (GPDR)) and standards and best practices (e.g., ISO/

IEC 27002xvii, NIST SP 800-171, Payment Card Industry Data Security Standardxviii (PCI DSS), Cloud Security Alliance Cloud Controls

Matrixxix (CSA CCM)) as shown in Figure 2. The HITRUST CSF was also built to allow additional tailoring of the framework to an

organization’s specific needs based on various risk factors, thereby specifying an industry-acceptable level of due diligence and due

care for the protection of information and individual privacy.

Figure 2. HITRUST Overlay of the NIST SP 800-53 Moderate Impact Control Baseline

The HITRUST CSF v9.4 release consists of 14 Control Categories, 49 Control Objectives, and 156 Controls.xx The HITRUST CSF Control

Categories, accompanied by their respective number of Control Objectives and Controls for each Category, are provided in Table 1.

Table 1: HITRUST CSF Control Categories (Number of Control Objectives, Number of Controls)

Category Number Category Name No. of Objectives No. of Controls

0.0 Information Security Management Program 1 1

1.0 Access Control 7 25

2.0 Human Resources Security 4 9

3.0 Risk Management 1 4

4.0 Security Policy 1 2

5.0 Organization of Information Security 2 11

6.0 Compliance 3 10

7.0 Asset Management 2 5

8.0 Physical and Environmental Security 2 13

9.0 Communications and Operations Management 10 32



Category Number Category Name No. of Objectives No. of Controls

10.0 Information Systems Acquisition, Development, and Maintenance 6 13

11.0 Information Security Incident Management 2 5

12.0 Business Continuity Management 1 5

13.0 Privacy Practices 7 21

A graphic of the HITRUST CSF Control Categories and Objectives is provided by Figure 8 and a complete listing of HITRUST CSF Control

Categories, Control Objectives, and Controls is provided by Table 12, both of which are in Appendix B – HITRUST CSF Structure.

Control Structure

Unlike controls in other frameworks, HITRUST CSF controls are extraordinarily comprehensive and prescriptive. Each control consists of

the following elements:

• Control Reference: Control number and title.

• Control Specification: Policies, procedures, guidelines, practices, or organizational structures, which can be managerial,

operational, technical, or legal in nature, required to meet the control objective.

• Risk Factor Type: Predefined organizational, regulatory, or systemic (technical) risk factorsxxi that increase the inherent risk

to an organization or system, necessitating a higher level of compliance.

° Organizational Factors include, but are not limited to, the amount of sensitive information an organization holds and/

or processes, annual number of transactions, relative size of the organization–based on a relevant estimator, volume of

business or data, and geographic scope–state, multi-state, or off-shore (outside the U.S.).

° Regulatory Factors focus on the compliance requirements applicable to an organization and systems in its environment,

for example, compliance with PCI, FISMA, EU GDPR, and/or the Personal Data Protection Act.

° System Factors consider the various system attributes that would increase the likelihood or impact of a vulnerability

being exploited–including assessing each system or system grouping to determine the associated level of compliance–

for example, the number of interfaces to other systems and number of users, as well as whether system(s) store,

process, or transmit security and privacy information; are accessible from the Internet; are accessible by a third party;

exchange data with a third party/business partner; or are publicly accessible.

• Topics: Keywords indicating relevant categories associated with the control reference.

• Implementation Requirements: Detailed information to support the implementation of the control to meet the control

objective. Requirements are defined based on relevant factors through three progressive implementation levels, or by

specific segment.

• Implementation Requirement Levels: HITRUST CSF’s risk-based approach applies security resources commensurate

with the level of risk, or as required by applicable regulations or standards, by defining multiple levels of implementation

requirements–which increase in restrictiveness. Three levels of requirements are defined based on organizational,

regulatory, or system (technical) risk factors. Level 1 provides the minimum baseline control requirements; each subsequent

level encompasses the lower level and includes additional requirements, commensurate with increasing levels of risk.



• Segment-Specific Requirement Levels: Certain industries, or segments of industries, have specific requirements that

do not apply to others or would not be considered reasonable and appropriate from a general controls perspective. As a

result, the HITRUST CSF contains specific implementation levels that provide additional requirements for these segments,

e.g., cloud service providers, FedRAMP, EU GDPR.

• Control Standard Mapping by Level: Documented mapping to related authoritative source(s).

An example of a HITRUST CSF Control is provided in Table 2.

Table 2. HITRUST CSF Control Structure - Example



Scoping and Tailoring the HITRUST CSF

Risk models define the risk factors to be assessed and the relationships among those factors. Risk factors are characteristics used

in risk models as inputs to determine levels of risk in risk assessments. Risk factors are also used extensively in risk communications

to highlight what strongly affects the levels of risk in particular situations, circumstances, or contexts. Typical risk factors include

threat, vulnerability, impact, likelihood, and predisposing condition [emphasis added].xxii

NIST defines a predisposing condition as one that “exists within an organization, a mission or business process, enterprise architecture,

information system, or environment of operations, which affects (i.e., increases or decreases) the likelihood that threat events, once

initiated, result in adverse impacts to organizational operations and assets, individuals, [or] other organizations.”xxiii

Table 3. Predisposing Conditions

Predisposing Conditions

Type Example Effect of Risk

Physical Flood PlainIncreased likelihood of exposure to hurricanes or floods

Technical Stand-Alone SystemDecreased likelihood of exposure to a network-based attack

Administrative Gap in Contingency PlansIncreased likelihood of exposure to a disruption in operations

HITRUST leverages this concept of predisposing conditions to create a set of organizational (e.g., number of records processed or

maintained annually), technical (e.g., accessible by a third party), and regulatory/compliance risk factors (e.g., CMMC or the NIST

Cybersecurity Framework), which help define relative risk between organizations, their architecture/technology, and their legislative,

regulatory, and contractual requirements. This allows HITRUST to dynamically create new, highly tailored CSF Control overlays—

essentially new control baselines—based on the risk factors relevant to an organization.

The use of risk factors to allow further tailoring of the HITRUST CSF Control Implementation Requirements and support the creation

of dozens of new CSF Control overlays is unique to the HITRUST Approach. No other controls framework supports this level of

customization ‘right out of the box.’

The HITRUST CSF Assurance Program

Governed and managed by HITRUST, the HITRUST CSF Assurance Programxxiv provides organizations a standardized methodology to

effectively and consistently measure and manage information security and individual privacy-related risk. The program’s detailed testing

procedures and robust control maturity and scoring model provide demonstrable efficiencies and cost-containment opportunities

for many organizations, and the use of pre-qualified professional services firms and consultancies help provide additional assurances

around the accuracy, consistency, and repeatability of HITRUST CSF Assessments. The HITRUST CSF Assurance Program also provides

organizations with an effective, standardized, and streamlined process to manage its compliance obligations across a multitude of

standards, regulations, and frameworks.xxv

HITRUST Assessment Methodology

In many assessment approaches, assessors typically evaluate controls solely based on whether they are in place or implemented,

resulting in a binary, compliance-oriented approach.xxvi Models in which partial implementation is noted are arguably more useful, but

they also fail to provide an adequate view of organizational risk. Financial and information technology auditors often address this issue



by evaluating control effectiveness and its two components: design effectiveness and operational effectiveness. Design effectiveness

refers to how well a control is designed to address a specific control objective, i.e., the risk it was designed to control. And operational

effectiveness addresses whether controls consistently operate over time as designed, i.e., if they continue to effectively address the risks

they were designed to control.

Control Maturity

HITRUST takes these concepts of effectiveness and applies them through the lens of process maturity. But rather than evaluate the

maturity of a specific process, HITRUST evaluates the effectiveness of a control’s implementation based on a control maturity model

outlined by NIST Interagency Report (NISTIR) 7358, Program Review of Information Security Management Assistance (PRISMA).xxvii The

PRISMA model provides five levels of maturity, which are roughly similar to the Carnegie Melon Software Engineering Institute’s (CM-

SEI’s) Capability Maturity Model Integrated (CMMI) process improvement model.xxviii

“The structure of a PRISMA Review is based upon the [CMMI], where an organization’s developmental advancement is measured by

one of five maturity levels”xxix: (1) Policies, (2) Procedures, (3) Implementation, (4) Testing, and (5) Integration.xxx HITRUST adopted the

model with only minor variation, as shown in Table 4.

Table 4. HITRUST CSF Control Implementation Maturity Model

Maturity Level - Name Maturity Level - Description

1 – Policy Does the organization know what it needs to do?

2 – Procedure Does the organization know how to do it?

3 – Implemented Has the organization done it?

4 – Measured Does the organization keep track of it?

5 – Managed Does the organization fix it if something goes wrong?

Like PRISMA, the first three levels of the HITRUST model provide rough equivalence with more traditional compliance-based

assessments. First, control requirements must be clearly understood at all levels of the organization through documented policies or

standards that are communicated with all stakeholders. Second, procedures must be in place to support the actual implementation

of required controls. These first two levels essentially address the concept of design effectiveness. Third, the controls must be fully

implemented and tested as required to ensure they operate as intended. HITRUST then modified the PRISMA model to specifically

address the concept of ‘you can’t manage what you don’t measure’ in the fourth and fifth levels of the model, and it’s these last three

levels that support the evaluation of a control’s operational effectiveness.

The five levels of control implementation maturity, with additional explanation, are:

1. Policy considers the existence of current, documented information security policies or standards in the organization’s

information security program and whether they fully address the control’s implementation specifications. For example,

if a requirement statement4 has multiple actions associated with it, does a corporate policy or standard address all its

elements, either directly in the policy or indirectly by reference to an external standard? And does the policy apply to all

organizational units and systems within the scope of the assessment?

4 ‘Requirement statement’ is used as a generic term to refer to a HITRUST CSF Control Implementation or Segment Requirement, or a MyCSF Requirement Statement,

which may be composed of one or more HITRUST CSF Implementation or Segment Requirements.



2. Procedure considers the existence of documented procedures or processes developed from the policies or standards and

whether they reasonably apply to the organizational units and systems within the scope of the assessment. For example,

are there one or more written procedures that address the implementation of all the elements specified in a requirement

statement?

3. Implemented looks at the actual implementation of the policies and whether the control’s implementation specifications

are applied to all the organizational units and systems within the scope of the assessment. For example, are all elements of

a requirement statement addressed by the implementation for all corporate shared services?

4. Measured considers the testing or measurement (metrics) of the specification’s implementation and whether they continue

to remain effective. This idea of monitoring is not new, as the American Institute of Certified Public Accountantsxxxi (AICPA)

lists monitoring, i.e., the process of assessing performance over time, as one of five interrelated components of internal

control. However, the concept of continuous monitoring, upon which this level is based, is relatively new.

5. Managed reviews the organization’s management of its control implementations based on these metrics. For example,

if common or special variations are discovered through testing or measurement of a control’s effectiveness, can the

organization demonstrate it has a management process for this metric and, when general or special variations occur, can it

show it has performed a root cause analysis and taken corrective action based on the results?

Together, the first three levels—Policy, Procedure, and Implemented— evaluate effectiveness at a specific ‘point-in-time’ while providing

limited assurance that the controls will continue to be implemented in the future. The last two levels of the model—Measured and

Managed—provide additional assurance that the controls will continue to be effective on an ongoing basis. HITRUST also helps

organizations measure the effectiveness of a control’s implementation on an ongoing or ‘continuous’ basis by providing specific control

requirements around an organization’s information security continuous monitoring program.

Evidence suggests that the more mature an organization’s information protection program is—specifically their information security

controls that demonstrate proficiency of operation, management, and reporting—the more likely an organization will be to continue to

operate those controls in a similar manner in the future. It can also be shown that mature organizations are less likely to suffer a breach

as mature controls are less likely to fail, and the more likely these organizations will be able to contain it and minimize the impact

should a breach occur. For example, Forrester Consulting has shown organizations that implement a CMM-based maturity model and

have the highest level of maturity—even when limited to the area of identity and access management—incur roughly “half the number

of breaches as the least mature … [and save] 40% in technology costs and an average of $5 million in breach costs.”xxxii

Compliance and Scoring

To help ensure consistency of evaluation, regardless of the assessor used to conduct an assessment, HITRUST provides general

evaluation criteria, as shown in Table 14, Appendix C – HITRUST CSF Assessment Methodology, as well as assessment procedures

specific to a particular HITRUST CSF Control Implementation Requirement, as shown in Table 15, also in Appendix C – HITRUST CSF

Assessment Methodology.



Each maturity level is then evaluated and scored based on five levels of compliance, as shown in Table 5.

Table 5: HITRUST CSF Control Implementation Maturity Model Compliance Scale

Rating Description

Non-Compliant (NC)Very few if any of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, mea-sured, or managed). Rough numeric equivalent of 0% (point estimate) or 0% to 10% (interval estimate).

Somewhat Compliant(SC)

Some of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or man-aged). Rough numeric equivalent of 25% (point estimate) or 11% to 32% (interval estimate).

Partially Compliant (PC)

About half of the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed). Rough numeric equivalent of 50% (point estimate) or 33% to 65% (interval estimate).

Mostly Compliant (MC)

Many but not all the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed). Rough numeric equivalent of 75% (point estimate) or 66% to 89% (interval estimate).

Fully Compliant (FC)Most if not all the elements in the requirement statement exist for the maturity level evaluated (policy, procedure, implemented, measured, or managed). Rough numeric equivalent of 100% (point estimate) or 90% to 100% (interval estimate).

This robust approach to evaluating the maturity of a requirement’s implementation provides more accurate, consistent, and repeatable

scoring that can help organizations better understand their overall risk profile and prioritize remediation efforts for any identified

control gaps.

HITRUST Assurance

‘Assurance’ may be defined as “the act or action of assuring someone or something: such as [a] pledge [or] guarantee,”xxxiii where

to ‘assure’ means “to make sure or certain: convince; … to inform positively, … to make certain the coming or attainment of:

guarantee; … to make safe (as from risks or against overthrow): insure; [or] … to give confidence to.”xxxiv An assessment that

provides high levels of assurance would subsequently suggest high levels of reliability, or the ability to rely on those assurances—

what HITRUST refers to as rely-ability.

There are three principal areas of an assessment and reporting approach that contribute to rely-ability.xxxv The first area involves

the controls themselves, as they must be comprehensive in breadth and depth to ensure all reasonably anticipated threats for the

applicable contexts are addressed, risks are managed appropriately, and compliance requirements are met. The second focuses on

the implementation of the controls, as they should be fully implemented, monitored, and managed to ensure they operate and will

continue to operate as intended. And the third area involves the trustworthiness of the information provided about the first and second

areas, which generally involves considerations around the independence and overall quality of the practitioners, professional services

firms, and assessment methods employed.

While there are many specific criteria one could consider when evaluating the applicability of controls, their implementation, and the

validity of assessment, there are six that are key: transparency, scalability, consistency, accuracy, integrity, and efficiency.

• Transparency – Are the controls incorporated and the assessment approach utilized, including its evaluation and scoring

model, open and transparent to all stakeholders? More specifically, will the recipient of the report understand how the

controls were selected, evaluated, and scored?

• Scalability – Is the assessment approach scalable to any size organization or, more specifically, can any size and type of

organization leverage the approach? And does scaling of the control framework follow formal guidelines for tailoring the

controls to the organization?



• Consistency – Are assessment results consistent regardless of the professional or professional services firm engaged? Or,

more specifically, does the process ensure that individuals performing the work are evaluating and documenting their

findings consistently? Does the assessment approach minimize variance and inconsistencies?

• Accuracy – Do assessment results accurately reflect the state of the controls implemented in an organization’s

environment? Or, more specifically, what mechanisms are in place to facilitate the accurate evaluation and scoring of

implemented controls?

• Integrity – Are assessments conducted and the results reported consistent with prescribed requirements for the assessment

and reporting option? Or, more specifically, what processes are in place to ensure the assessor conducted the assessment

faithfully and reported the results truthfully?

• Efficiency – Do assessments and their associated reports satisfy multiple stakeholders for multiple purposes? Or, more

specifically, can the report be used by multiple relying parties?

Organizations have many options when it comes to assessing and reporting upon their information security and privacy posture;

however, not all provide the same level of ‘rely-ability,’ as shown in Table 6 below for some of the most widely used control,

assessment, and reporting frameworks: AICPA SOC2, HITRUST CSF, ISO 27001, and NIST SP 800-53.

Table 6. Assurance Criteria and Attributes of AICPA SOC2, HITRUST CSF, ISO 27001, and NIST SP 800-53

Criterion Assessment Reporting Option Attribute AICPA SOC2 HITRUST CSF ISO 27001 NIST 800-53

TransparencyOpen Controls Framework N/A Yes Yes Yes

Open Assessment Methodology Yes Yes No Yes

ScalabilityTailorable Controls Framework N/A Yes Yes Yes

Market-Based Assurance Program Yes Yes Yes No

ConsistencyPrescriptive Control Assessment Methodology Yes Yes No Yes

Trained, Vetted Assessor Pool Yes Yes Yes No

AccuracyMaturity-Based Implementation Model No Yes No No

Quasi-Quantitative Scoring Approach No Yes No No

IntegrityFormal Assessor Program Yes Yes Yes No

Centralized Quality Assurance No Yes No No

EfficiencyIntegrated & Harmonized Control Framework N/A Yes No No

Standardized Report w/ Optional Scorecards Yes Yes No No

While other assessment and reporting options may provide an open control framework, many lack transparency in how the controls

are derived, updated, or assessed. These frameworks are often “one size fits all” and not easily scalable to different types and sizes of

organizations; and most of the available options do not leverage a control maturity model or quasi-quantitative scoring approach, which

impacts the accuracy of the results. None of the other options listed provide a vetted and trained independent assessor pool, the lack of

which can result in inconsistent assessment and reporting; and, while some may provide some type of training and vetting of assessors,

none of the other options provide centralized quality assurance of assessment and reporting, the lack of which can adversely impact the

overall integrity of the assurance provided. Additionally, most of the other available options are single purpose, resulting in less efficiency

when reporting to multiple stakeholders.



Support for the NIST Cybersecurity Framework

The HITRUST Approach fully supports an organization’s implementation of the NIST Framework for Improving Critical Infrastructure

Cybersecurityxxxvi (“NIST Cybersecurity Framework”). Intended to complement rather than replace an organization’s existing business

or cybersecurity risk management process and cybersecurity program, organizations may use their current processes and leverage the

framework to identify opportunities to improve an organization’s management of cybersecurity risk. Alternatively, an organization

without an existing cybersecurity program can use the framework as a reference to establish one.

The NIST Cybersecurity Framework consists of three main components. The Framework Core presents industry standards, guidelines,

and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from

the executive level to the implementation/operations level. The Core consists of four elements or levels: Functions, Categories,

Subcategories, and Informative References. Implementation tiers provide context on how an organization views cybersecurity risk and

the processes in place to manage that risk, and NIST Cybersecurity Framework Profiles represent outcomes based on business needs

that an organization has selected from the Framework Categories and Subcategories.

However, the NIST Cybersecurity Framework cannot be implemented on its own as it does not specify the underlying controls or

‘activities’ necessary to achieve the outcomes specified by its Core Subcategories. And while NIST provides mappings to various

Informative References such as the HITRUST CSF, ISO 27011, and its own NIST SP 800-53,xxxvii the NIST Cybersecurity Framework does

not provide a mechanism to support the selection of a reasonable and appropriate set of controls from these various sources outside of

a traditional, textbook approach to risk analysis and control specification.

The HITRUST CSF provides a risk-based approach to control selection that helps afford an industry-acceptable level of due diligence

and due care for the protection of sensitive information as well as fully addresses the outcomes specified by the NIST Cybersecurity

Framework’s Core Subcategories. Other components of the HITRUST Approach, such as the CSF Assurance Program, help address other

aspects of the NIST Cybersecurity Framework, such as the organization’s Current Profile and Implementation Tiers.

Appendix D – HITRUST Support for the NIST Cybersecurity Framework provides a graphical depiction of how the HITRUST CSF provides

the foundation for NIST Cybersecurity Framework implementation, and a complete discussion of the approach can be found in public-

private sector guidance for implementation within the Healthcare and Public Health critical infrastructure sector,xxxviii available on the

US-CERT Cybersecurity Framework Website.xxxix Organizations may also receive a HITRUST certification against the NIST Cybersecurity

Framework based on the results of a HITRUST CSF Assessment.



The CMMC Approach

The DoD worked with various industry stakeholders in 2019 to develop the CMMC framework to help ensure the protection of Federal

Contract Information (FCI) and Controlled Unclassified Information (CUI) when shared with industry partners within the DIB.

FCI is non-public contract information that is provided by, or generated for, the Government under a contract. Contractors must apply

basic safeguarding requirements and procedures to protect FCI on covered contractor information systems, as required under the

Federal Acquisition Regulation (FAR). CUI is information that requires safeguarding or dissemination controls pursuant to and consistent

with laws, regulations, and government-wide policies. CUI has a higher protection requirement than FCI, and any non-federal system

which houses CUI must comply with the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012xl and

implement the controls provided in NIST SP 800-171.xli

CMMC Model The CMMC model measures cybersecurity with five levels of maturity aligned to a set of processes and practices. Practices are based

on the type and sensitivity of information to be protected and the associated range of threats. The model framework organizes these

processes and practices into a set of domains, as shown in Figure 3, and maps them across the five levels of maturity. To provide

additional structure, the framework also aligns the practices to a set of capabilities within each domain.xlii

Figure 3: CMMC Model Framework (Simplified Hierarchical View)

Note that activities are specific actions that are taken to achieve the objectives or outcomes specified by a Practice; however, they are not

specified by the model.

The CMMC model measures cybersecurity maturity with five Maturity Levels (MLs), each consisting of a set of Processes and Practices as

shown in Figure 4. CMMC Processes range from ‘Performed’ at Level 1 to ‘Optimizing’ at Level 5, and CMMC Practices range from ‘Basic

Cyber Hygiene’ at Level 1 to ‘Advanced/Progressive’ at Level 5.

CMMC

Domains

Capabilities

Processes

Practices

Activities



Figure 4. CMMC Levels and Descriptions

The CMMC maturity levels and the associated sets of processes and practices across domains are cumulative. For an organization to

achieve a specific CMMC level for a Process or Practice, it must also demonstrate achievement of the preceding lower levels. However,

although CMMC Processes and Practices are essentially independent, an organization is certified based on a ‘low watermark’ of the two.

For example, an organization that has achieved ML 2 for Processes and ML 4 for Practices would be certified at CMMC ML 2.

Figure 5. CMMC Levels and Associated Focus

The actual CMMC ML an organization would be required to demonstrate is generally driven by the type and sensitivity of the

information an organization receives, processes, or generates that requires protection and the range of threats to that information, as

shown in Table 7. The achievement of higher CMMC levels enhances the ability of an organization to protect CUI and, for Levels 4-5,

reduces the risk of Advanced Persistent Threats (APTs).

Performed

Documented

Managed

Reviewed

Optimizing

Basic Cyber Hygiene

Intermediate Cyber Hygiene

Good Cyber Hygiene

Proactive

Advanced / Progressive

PRACTICESPROCESSES

Level 5 -

Level 4 -

Level 3 -

Level 2 -

Level 1 -

LEVEL 3

LEVEL 2

LEVEL 1

LEVEL 4

LEVEL 5

OPTIMIZING

ADVANCED/PROGRESSIVE

REVIEWED

PROACTIVE

MANAGED

GOOD CYBER HYGIENE

DOCUMENTED

INTERMEDIATECYBER HYGIENE

PERFORMED

BASIC CYBER HYGIENE

Increasing Protection of CUI

Reducing Risk of APTs

Transition Step toProtect CUI

Basic Safeguarding of FCI



Table 7. CMMC Maturity Levels

CMMC ML Type of Information / Associated Threats

1 Safeguard FCI

2 Transition Step to Safeguarding CUI

3 Safeguard CUI

4Safeguard CUI / Reduce Risks of APTs

5

Abbreviated descriptions of the Processes and Practices for each CMMC ML follow.

• CMMC Level 1

° Processes – Performed: Requires organizations to implement specified practices. As implementation may be ‘ad hoc,’

process maturity is not actually assessed at this level.

° Practices – Basic Cyber Hygiene: Focuses on the protection of FCI as required by 48 CFR 52.204-21, Basic Safeguarding

of Covered Contractor Information Systems.xliii

• CMMC Level 2

° Processes – Documented: As the name suggests, requires organizations to document the practices as well as the

policies needed to guide their implementation.

° Practices – Intermediate Cyber Hygiene: Consists of a subset of the requirements specified in NIST SP 800-171xliv

augmented by practices from other sources to address security more broadly than the confidentiality-specific

requirements provided by NIST SP 800-171.

• CMMC Level 3

° Processes – Managed: Requires organizations to establish, maintain, and resource plans that detail specific activities

used to implement CMMC Practices.

° Practices – Good Cyber Hygiene: Incorporates all NIST SP 800-171 requirements augmented by practices from other

sources to address security more broadly.

• CMMC Level 4

° Processes – Reviewed: Requires organizations to review and measure practices for effectiveness and take corrective

action when deficiencies are identified.

° Practices – Proactive: Focuses on advanced persistent threats (APTs) and incorporates a subset of enhanced security

requirements from NIST SP 800-171B augmented by practices from other sources.

• CMMC Level 5

° Processes – Optimizing: Requires application of CMMC across the entirety of an organization.

° Practices – Advanced/Proactive: Increases the “depth and sophistication” of cybersecurity with additional practices.



Appendix E – CMMC Domains and Capabilities provides a list of the 17 CMMC Domains and the 43 Capabilities in the model, as well

as the number of CMMC Practices that support each Capability by Practice Level. Appendix F – CMMC Practices provides a complete

listing of all CMMC Practices organized by CMMC Domain and Practice Level and identifies the CMMC Capability for each CMMC

Practice.

A brief discussion from the original source, additional CMMC clarification including examples and supporting references for each

CMMC Procedures Maturity Level and Practice are also available in CMMC Appendices V1.02,xlv Appendix B. However, the discussion

and clarifications with examples in the CMMC Appendix are intended to be informational and do not constitute formal guidance or

requirements. And, while references from FAR Clause 52.204-21 and NIST SP 800-171 indicate the language for the CMMC Practice

is derived from these sources, all other references (e.g., to NIST SP 800-53) are also informational, and their inclusion does not imply

implementing the referenced activities will necessarily meet CMMC requirements.

For a more complete discussion of the CMMC Model, see CMMC V1.02 and CMMC Appendices V1.02.

CMMC Assurance

CMMC is intended to address DoD information (FCI/CUI). If the systems and networks that receive DoD information are properly

segmented, CMMC would generally not apply to the rest of the organization’s environment. The one exception is CMMC ML 5, which

requires CMMC ML 4 compliance throughout the organization. However, only a fraction of the 300,000+ contractors that make up the

DIB should require CMMC ML 5.xlvi

CMMC also specifies cybersecurity outcomes while relying on external sources to provide the underlying control requirements or

activities needed to achieve those outcomes. Organizations must conduct a traditional, textbook risk analysis or leverage a control

framework-based risk analysis to specify the necessary control requirements or activities needed to address each CMMC Practice. And,

although not addressed in the CMMC model, a risk analysis is also needed to address ‘NFO’ requirements from NIST SP 800-171 r2,

which are confidentiality controls “expected to be routinely satisfied by nonfederal organizations without specification”xlvii and any

other due diligence and due care obligations an organization may have.

The lack of depth in the specification of underlying control requirements or activities combined with the limited breadth of coverage

addressed by CMMC certification subsequently provide limited assurances around the appropriateness of implemented controls.

And while the Process maturity model is a step in the right direction, additional CMMC assessment guidance is needed before we

understand how well it will address the maturity of an organization’s implementation of specified control requirements or activities.

However, we know the CMMC assessor model will follow the FedRAMP model fairly closely in that Certified Third-Party Assessor

Organizations (C3PAOs) will be vetted if not also trained by the CMMC Accreditation Board. CMMC certifications will also be issued

directly by the C3PAO that conducts the CMMC assessment.

Based upon what is currently known about the CMMC program, the level of assurance provided by CMMC certification—although

addressing all three principal attributes of rely-able assurance—is relatively moderate. Assurance criteria and attributes for the CMMC

approach are provided in Table 8, along with the HITRUST Approach for comparison.



Table 8. Assurance Criteria and Attributes of CMMC and HITRUST CSF

Criterion Assessment Reporting Option Attribute CMMCHITRUST

CSF

TransparencyOpen Control Framework No Yes

Open Assessment Methodology Yes Yes

ScalabilityTailorable Controls Framework No Yes

Market-Based Assurance Program Yes Yes

ConsistencyPrescriptive Control Assessment Methodology No Yes

Trained, Vetted Assessor Pool Yes Yes

AccuracyMaturity-Based Implementation Model Yes Yes

Quasi-Quantitative Scoring Approach No Yes

IntegrityFormal Assessor Program Yes Yes

Centralized Quality Assurance No Yes

EfficiencyIntegrated & Harmonized Control Framework No Yes

Standardized Report w/ Optional Scorecard No Yes

Support for the NIST Cybersecurity Framework

CMMC currently does not map Practices to 40 of its Core Subcategories, while 58 of its Practices are not mapped to any Core

Subcategory. See Appendix G – NIST Cybersecurity Framework for a complete mapping of CMMC Practices and HITRUST CSF Controls

to the NIST Cybersecurity Framework Core Subcategories. The lack of prescriptive control requirements or activities also makes CMMC

unsuitable for NIST Cybersecurity Framework implementation.



HITRUST Support for CMMC The overall structure of the HITRUST CSF and the HITRUST CSF Assurance Program’s approaches to evaluating control maturity are

similar to the approach used in the CMMC model, as shown in Figure 6.

Figure 6. Structural Similarities Between the HITRUST and CMMC Approaches

However, while these similarities essentially allow HITRUST to support CMMC certification “out-of-the-box,” it is the differences

between these two approaches that uniquely positions HITRUST organizations to operationalize CMMC as part of their existing

information protection program and quickly assess CMMC Practice and Process maturity with accuracy and precision.

HITRUST CSF Controls and CMMC Practices

HITRUST CSF Control References, Specifications, and Implementation Requirements are generally equivalent to CMMC Practice

Identifiers, Practices, and Activities, as shown by the examples in Table 9.

Table 9. Structural Similarity Between the HITRUST CSF and the CMMC Model

HITRUST CMMC

Control Reference Practice Indentifier

09.c Segregation of Duties AC.3.017

Control Specification Practice

Separation of duties shall be enforced to reduce opportunities for unautho-rized or unintentional modification or misuse of the organization’s assets.

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Control Implementation Requirement Activity5

The organization identifies duties that require separation and defines informa-tion system access authorizations to support separation of duties.

The organization separates [Assignment: organization-defined duties of individuals]; documents separation of duties of individuals; and defines infor-mation system access authorizations to support separation of duties. [NIST SP 800-53 R4 AC-5]

5 Activities are not provided in the CMMC model, and supporting guidance, clarification, and references in CMMC documentation should not be construed as requirements;

however, such activities can and should be used as part of an organization’s overall information protection program when supported by a valid risk analysis (assessment).

CMMC

Domains

Capabilities

Processes

Practices

Activities

HITRUST

CSF ControlCategories

PRISMA Model

CSF ControlObjectives

CSF ControlSpeci�cations

RequirementStatements



HITRUST CSF Controls typically contain dozens of Implementation Requirements parsed amongst multiple levels and segments and are

selected based on specific organizational, system, and regulatory risk factors. To support CMMC assessment and certification, HITRUST

is adding five new regulatory factors in the CSF v9.4 release to support CMMC Practice Levels 1 through 5, as shown in Table 10.

To support the cumulative nature of CMMC Practice Levels, a HITRUST regulatory risk factor for a CMMC Practice Level will include

HITRUST CSF Control Implementation Requirements mapped to all preceding CMMC Practice Levels.

Table 10. HITRUST CSF Risk Factors for the CMMC Model

HITRUST CSF Risk Factor CMMC Practice Level

Subject to CMMC Practice Level 1 RequirementsLevel 1 – Basic Cyber Hygiene

• FAR Clause 52.204-21

Subject to CMMC Practice Level 2 Requirements

Level 2 – Intermediate Cyber Hygiene• FAR Clause 52.204-21• NIST SP 800-171 (Subset)• ‘Other requirements’ as specified in the CMMC Model6


Level 3 – Good Cyber Hygiene• FAR Clause 52.204-21• DFAR Clause 252.204-7012• NIST SP 800-171 (All)• Expanded set of ‘other requirements’ as specified in the CMMC

Model


Level 4 – Proactive• FAR Clause 52.204-21• DFAR Clause 252.204-7012• NIST SP 800-171 (All)• Expanded set of ‘other requirements’ as specified in the CMMC

Model• Subset of requirements from NIST SP 800-171A


Level 5 – Advanced / Progressive• FAR Clause 52.204-21• DFAR Clause 252.204-7012• NIST SP 800-171 (All)• Expanded set of ‘other requirements’ as specified in the CMMC

Model• Expanded subset of requirements from NIST SP 800-171A

By mapping HITRUST CSF Control Specifications to CMMC Practices, HITRUST is able to provide organizations a prescriptive set of

reasonable and appropriate cybersecurity activities, tailored for industry by industry, that subsequently provides an industry-acceptable

standard for the due diligence and due care of FCI, CUI, and other types of sensitive information.

HITRUST will also provide mappings between the CSF and the CMMC model’s underlying sources (references) to allow organizations

to integrate these requirements into their information protection program as well as support the generation of scorecards and other

reports for these sources independent of CMMC.

6 Italicized text indicates changes from the previous level



HITRUST CSF Assurance and CMMC Process Maturity

Use of the NIST PRISMA maturity model to granularly measure control implementation combined with a comprehensive control

framework-based approach to risk analysis and control specification allows HITRUST to readily support evaluation of CMMC’s Process

and Practice maturity requirements, as shown in Table 11.

Table 11. HITRUST CSF Assurance Program Support for the Evaluation of CMMC Process Maturity

HITRUST CSF Assurance Program Requirements CMMC Process Maturity Level

Maturity Model• Implemented

Targeted Controls7 • None

Scope• Specific organizational and system elements

Maturity Level 1 – Performed• None

Maturity Model• Policy• Procedure • Implemented

Targeted Controls• None


Maturity Level 2 – Documented• Establish a policy that includes [DOMAIN NAME]• Document the CMMC practices to implement the [DOMAIN NAME]

policy

Maturity Model• Policy• Procedure8

• ImplementedTargeted Controls

• All Plan-Related CSF Control Implementation Specifications9 Scope

• Specific organizational and system elements

Maturity Level 3 – Managed• Establish a policy that includes [DOMAIN NAME]• Document the CMMC practices to implement the [DOMAIN NAME]

policy• Establish, maintain, and resource a plan that includes [DOMAIN

NAME]

Maturity Model• Policy• Procedure• Implemented• Measured• Managed

Targeted Controls• All Plan-Related CSF Control Implementation Specifications


Maturity Level 4 – Reviewed• Establish a policy that includes [DOMAIN NAME]• Document the CMMC practices to implement the [DOMAIN NAME]

policy• Establish, maintain, and resource a plan that includes [DOMAIN

NAME]• Review and measure [DOMAIN NAME] activities for effectiveness

All CMMC Process Maturity Levels can be assessed solely by the HITRUST CSF Control Implementation Requirements that address the

CMMC Practices specified by a CMMC Policy Maturity Level with one exception. Maturity Level 3 also requires the targeted evaluation

of a specific set of HITRUST CSF Control Implementation Requirements for organizational plans related to the 17 CMMC Domains.

The granular assessment of a HITRUST CSF Control Implementation Requirement’s implementation maturity facilitates the ability to

‘roll up’ these maturity scores based on a specific area of interest, e.g., HITRUST CSF Controls, Objectives, and Categories; a specific

technology such as encryption and mobile devices; or a specific authoritative source such as SP 800-171 or—in this particular use

case—CMMC Process as well as Practice Maturity Levels that require the implementation of specific controls.

7 HITRUST CSF Control Implementation Requirements needed to support a CMMC Process Maturity Level8 Italicized text indicates changes from the previous level9 A specific subset of HITRUST CSF Control Implementation Requirements that support formal planning around the 17 CMMC Model domains



A mapping of HITRUST CSF Controls that contain Implementation Requirements related to the establishment, maintenance, and

resourcing of plans that include the 17 CMMC Domains is provided in Table 12.

Table 12. Mapping of CMMC Domains to Plan-Related Controls in the HITRUST CSF

CMMC Domain HITRUST CSF Plan-Related Control(s)

Access Control (AC) 01.a Access Control Policy

Asset Management (AM) 07.a Inventory of Assets

Audit and Accountability (AU)09.aa Audit Logging09.ab Monitoring System Use09.ac Protection of Log Information

Awareness and Training (AT) 02.e Information Security Awareness, Education & Training

Configuration Management (CM) 10.k Change Control Procedures

Identification and Authentication (IA) 01.a Access Control Policy

Incident Response (IR) 11.c Responsibilities and Procedures

Maintenance (MA) 08.j Equipment Maintenance

Media Protection (MP) 09.o Management of Removable Media

Personnel Security (PS) 02.a Roles and Responsibilities

Physical Protection (PE) 08.c Securing Offices, Rooms, and Facilities

Recovery (RE)09.l Back-up12.c Developing & Implementing Continuity Plans Incl. InfoSec

Risk Management (RM)00.a Information Security Management Program03.a Risk Management Program Development05.i Identification of Risks Related to External Parties

Security Assessment (CA)03.b Performing Risk Assessments05.b Information Security Coordination05.h Independent Review of Information Security

Situational Awareness (SA)03.a Risk Management Program Development09.ab Monitoring System Use

Systems and Communications Protection (SC)09.w Interconnected Business Information Systems 10.a Security Requirements Analysis & Specification

System and Information Integrity (SI)

09.j Controls Against Malicious Code09.v Electronic Messaging09.ab Monitoring System Use10.m Control of Technical Vulnerabilities

Leveraging a HITRUST CSF Assessment to Support CMMC

Organizations can leverage their HITRUST CSF implementation and supporting HITRUST CSF Validated Assessments (with or without

HITRUST CSF Certification) to evaluate compliance with CMMC requirements for both Process and Practice Maturity by simply selecting

“Subject to CMMC” and selecting the appropriate CMMC Practice ML for an appropriately scoped assessment of their environment.

A HITRUST CSF Validated Assessment Report may also be requested with a CMMC Scorecard, which will provide Process and

Practice Maturity for each CMMC Practice, Capability, and Category, as well as an aggregate CMMC Maturity Level for the scoped

environment.



Final Thoughts/Key Takeaways

There are many similarities, and notable differences, between the HITRUST Approach and the CMMC approach to cybersecurity control

maturity evaluation. It is the differences between these two approaches that uniquely positions HITRUST organizations to operationalize

CMMC as part of their existing information protection program.

The similarities between the HITRUST CSF Control References, Specifications, and Implementation Requirements and the CMMC

Practice Numbers, Practices, and supporting cybersecurity activities allow HITRUST organizations to quickly identify areas of similarity,

but only HITRUST is able to provide organizations a prescriptive set of reasonable and appropriate cybersecurity activities for each

CMMC Practice.

To support CMMC assessment and certification, HITRUST has added five new regulatory factors in the CSF v9.4 release to support

CMMC Maturity Levels 1 through 5. To support the cumulative nature of the CMMC practices in each level, a HITRUST regulatory

risk factor for a CMMC maturity level will include HITRUST CSF Control Implementation Requirements mapped to all preceding

CMMC maturity levels. All but one CMMC Process Maturity Levels can be assessed solely by the HITRUST CSF Control Implementation

Requirements that address the CMMC Practices specified by a CMMC Policy Maturity Level.

To further prepare and inform organizations, HITRUST provides mappings between the CSF and the CMMC model’s underlying sources

(references) to allow organizations to integrate these requirements into their information protection program as well as support the

generation of scorecards and other reports for these sources independent of CMMC.

HITRUST has spent the last 12 years architecting and implementing a comprehensive and fully integrated approach to information risk

management and compliance assessment and reporting that provides a level of transparency, scalability, consistency, accuracy, integrity,

and efficiency simply not obtainable through other approaches. HITRUST’s unique and comprehensive approach to information risk

management and compliance—The HITRUST Approach—addresses all these criteria to provide the most robust and ultimately rely-able

assurance option available.



About HITRUST

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive

information and manage information risk for organizations across all industries and throughout the third-party supply chain. In

collaboration with privacy, information security, and risk management leaders from both the public and private sectors, HITRUST

develops, maintains, and provides broad access to its widely adopted common risk and compliance management and de-identification

frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience, all

of which comprise the HITRUST Approach to a comprehensive information security and privacy risk and compliance management

ecosystem.

Figure 7. The HITRUST Approach

HITRUST also actively participates in many efforts in government advocacy, community building, and cybersecurity education. For more

information, visit www.hitrustalliance.net.

STEP 3 STEP 2

S

TEP 4 STEP 1ASSE

SS & REPORT IDENTIFY & DEFINE

IMPLEM

ENT & MANAGE S

PECIFY

™

https://www.hitrustalliance.net



About the Authors

Bryan Cline, Ph .D ., Chief Research Officer, HITRUST

Bryan provides thought leadership on risk management and compliance and develops the methodologies

used in various components of the HITRUST Approach. This includes a focus on the design of the

HITRUST CSF and the assessment and certification models used in the HITRUST CSF Assurance Programs,

for which he provides technical direction and oversight. He’s also responsible for addressing emerging

trends impacting risk management and compliance to ensure the HITRUST Approach sets the bar for

organizations seeking the most comprehensive privacy and security frameworks available. Bryan previously

served as HITRUST’s Vice President of Standards and Analysis.

Leslie Weinstein, M .S ., President, CMMC Consulting, LLC

Leslie is an Army veteran and management consultant with 14 years of experience in intelligence

and cyber operations, and strategy and policy consulting. She has eight years of experience in a joint

environment, and three years of experience at the OSD level. Five years of active duty, complementing

eight years as a federal civilian and consultant, provides a diverse and unique skill set that Leslie has

successfully leveraged to solve some of the most complex issues facing the Department of Defense. Leslie

is also a Major in the US Army Reserves, holds an MS from the National Intelligence University, and is

currently an MBA candidate at the Cornell Johnson School of Management.



Appendix A – Glossary

Activity / ActivitiesAn action or set of actions that are accomplished within a practice in order to make it successful. There can be multiple activities that make up a practice. Practices may only have one activity, and some may have a set of activities. [CMMC Glossary]

Advanced Persistent Threat (APT)

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and ex-tending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives. [NIST Glossary]

Adversary Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. [NIST Glossary]

AssessmentThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meet-ing the security requirements for the system. [NIST Glossary]

Assessment Scope The information systems and technology, infrastructure, and organizational elements that are the target of assessment. [HITRUST]

Asset (Organizational Asset)

Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards). [NIST Glossary]

Assurance

Grounds for justified confidence that a claim has been or will be achieved. Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims) and the claims themselves may be interrelated. Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims. [NIST Glossary]

AuditIndependent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with estab-lished policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. [NIST Glossary]

Automated Controls

Controls that have been programmed, configured, and/or embedded within a system.[Adapted from the ISACA Glossary]

Automated controls are performed by systems—not people—based on configurations, rulesets, or programming. An example of an auto-mated control is forced password expiration after the number of days specified in the associated configuration. [HITRUST]

BreachAn incident where an adversary has gained access to the internal network of an organization or an organizationally owned asset in a man-ner that breaks the organizational policy for accessing cyber assets and results in the loss of information, data, or asset. A breach usually consists of the loss of an asset due to the gained access. [CMMC Glossary]

CapabilityCapabilities are achievements to ensure cybersecurity objectives are met within each domain. Capabilities are met through the employment of practices and processes. Each domain is comprised of a set of capabilities. [CMMC Glossary]

ComplianceAn adherence to the laws, regulations, standards, guidelines, and other specifications [such as contractual obligations] relevant to an orga-nization’s business. [Adapted from the HITRUST Risk vs. Compliance Whitepaper, p. 3]

Continuous Monitor-ing (also Information Security Continuous Monitoring)

Maintaining ongoing awareness to support organizational risk decisions. See ‘Information Security Continuous Monitoring,’ ‘Risk Moni-toring,’ and ‘Status Monitoring.’ (Note: The terms “continuous” and “ongoing” in this context mean that security controls and organiza-tional risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.) [NIST Glossary]

Continuous Moni-toring Program (also Information Security Continuous Monitor-ing Program)

A program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls. [NIST Glossary]

Control

The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an ad-ministrative, technical, management, or legal nature. An attribute assigned to an asset that reflects its relative importance or necessity in achieving or contributing to the achievement of stated goals. [NIST Glossary] Synonymous with ‘Countermeasures’ and ‘Safeguards.’

A control is a collection of implementation requirements intended to satisfy the objective or outcome specified by a control specifica-tion; includes a control reference, i.e., a control number and name, risk factors, topical area tags, and supporting authoritative sources. [HITRUST]

Control Category A topical grouping of control objectives and controls; the highest level in the HITRUST CSF control structure. [HITRUST]

Control GapAn exception or deficiency in the implementation of an information security or privacy control. [HITRUST] Synonymous with ‘Control Deficiency.’

Control Implementa-tion Requirement

A granular, often prescriptive requirement or activity within a HITRUST CSF control intended to help an organization achieve the outcome indicated by its Control Specification. [HITRUST]

Control MaturityThe extent to which a control is defined, implemented, measured, managed/controlled, and effective. [HITRUST] Also, ‘Control Implemen-tation Maturity.’

https://www.acq.osd.mil/cmmc/ docs/CMMC_Appendices_V1.02_20200318.pdf

https://csrc.nist.gov/glossary/term/advanced_persistent_threat

https://csrc.nist.gov/glossary/term/advanced_persistent_threat

https://csrc.nist.gov/glossary/term/assessment

https://csrc.nist.gov/glossary/term/asset

https://csrc.nist.gov/glossary/term/assurance

https://csrc.nist.gov/glossary/term/audit

https://www.isaca.org/resources/glossary



https://hitrustalliance.net/content/uploads/RiskVsComplianceWhitepaper.pdf

https://csrc.nist.gov/glossary/term/information_security_continuous_monitoring

https://csrc.nist.gov/glossary/term/information_security_continuous_monitoring_program

https://csrc.nist.gov/glossary/term/control



Control ObjectiveA statement of the desired result or purpose to be achieved by one or more controls within a HITRUST CSF Control Category. [ISACA Glossary, adapted]

Control Reference HITRUST CSF control number and title. [HITRUST Glossary]

Control SpecificationThe policies, procedures, guidelines, practices, or organizational structures specified in a control, which can be of administrative, technical, management, or legal nature, to meet a control objective. [HITRUST Glossary]

Controlled Unclassi-fied Information (CUI)

Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. [NIST Glossary]

Corrective ActionActivities intended to remediate control deficiencies; actions taken to address causes of non-conformity, preclude hazards, or prevent the recurrence of a problem. [HITRUST]

Corrective Action Plan (CAP)

Corrective actions for an issuer for removing or reducing deficiencies or risks identified by the Assessor during the assessment of issuer operations. The plan identifies actions that need to be performed in order to obtain or sustain authorization. [NIST Glossary]

CountermeasuresActions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. [NIST Glossary] Synony-mous with ‘Security Controls’ or ‘Safeguards.’

CybersecurityPrevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. [NIST Glossary]

DataInformation in a specific representation, usually as a sequence of symbols that have meaning [or] pieces of information from which ‘under-standable information’ is derived. [NIST Glossary]

Defense Industrial Base (DIB)

The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. [DIB Sector-Specific Plan, DHS CISA]

Defined ProcessA managed process that is tailored from [an] organization’s set of standard processes according to [its] tailoring guidelines; has a main-tained process description; and contributes work products, measures, and other process improvement information to organizational process assets. [Adapted from CERT RMM v1.2]

Diligence Earnest and persistent application of effort, especially as required by law. [FindLaw Dictionary]

DocumentInformation that is written, printed, or in electronic form that serves as evidence for practices, capabilities, procedures, maturity or process-es performed by an organization. [CMMC Glossary]

DomainSets of capabilities that are based on cybersecurity best practices. There are 17 domains within CMMC. Each domain is assessed for prac-tice and process maturity across five defined levels. [CMMC Glossary]

Due Care

The care that an ordinarily reasonable and prudent person would use under the same or similar circumstances; also called ‘ordinary care’ or ‘reasonable care.’ [FindLaw Dictionary]

The level of care expected from a reasonable person of similar competency under similar conditions. [ISACA Glossary]

Due Diligence

Such diligence as a reasonable person under the same circumstances would use; use of reasonable but not necessarily exhaustive efforts; also called ‘reasonable diligence.’ [FindLaw Dictionary]

The performance of those actions that are generally regarded as prudent, responsible, and necessary to conduct a thorough and objective investigation, review, and/or analysis. [ISACA Glossary]

Enhanced OverlayAn overlay that adds controls, enhancements, or additional guidance to security control baselines in order to highlight or address needs specific to the purpose of the overlay. See ‘Overlay.’ [NIST Glossary]

Federal Contract Information (FCI)

Federal Contract Information (FCI): information, not intended for public release, that is provided by or generated for the Government un-der a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. [48 CFR § 52.204-21]

High-Value AssetsThose assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modifica-tion, or destruction could cause a significant impact to the United States’ national security interests, foreign relations, economy – or to the public confidence, civil liberties, or public health and safety of the American people. [NIST Glossary]

High-Value Services Services built upon high-value assets, for which the success of the organization’s mission depends. [CMMC Glossary, adapted]

Independent Measure-ment

Independent measures and metrics are prepared by a person or group (e.g., auditors, analysts) who are not influenced by the person or group responsible for the operation of the requirement/control being measured (e.g., the control owner). [HITRUST]

InformationAny communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. [NIST Glossary] Not to be confused with the term ‘Data.’

Maturity Model

A set of characteristics, attributes, or indicators that represent progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit the capabilities of that level. A tool that helps assess the current effectiveness of an organization and supports determining what capabilities they need in order to obtain the next level of maturity in order to continue progression up the levels of the model. [CERT RMM v1.2]



https://hitrustalliance.net/content/uploads/HITRUST-Glossary-of-Terms-and-Acronyms.pdf

https://csrc.nist.gov/glossary/term/controlled_unclassified_information

https://csrc.nist.gov/glossary/term/Corrective_Action_Plan

https://csrc.nist.gov/glossary/term/countermeasures

https://csrc.nist.gov/glossary/term/cybersecurity

https://csrc.nist.gov/glossary/term/data

https://dictionary.findlaw.com/legal-terms/d.html



https://dictionary.findlaw.com/definition/due-care.html


https://dictionary.findlaw.com/definition/due-diligence.html


https://csrc.nist.gov/glossary/term/Enhanced_Overlay

https://csrc.nist.gov/glossary/term/High_Value_Asset

https://csrc.nist.gov/glossary/term/High_Value_Asset

https://csrc.nist.gov/glossary/term/information



Measure(s)

Measure(s) The results of data collection, analysis, and reporting. [NIST Glossary]

A standard used to evaluate and communicate performance against expected results (measures are normally quantitative in nature capturing numbers, dollars, percentages, etc., but can also address qualitative information such as customer satisfaction; reporting and monitoring measures help an organization gauge progress toward effective implementation of strategy). [ISACA Glossary]

Measurement

Measurement The process of data collection, analysis, and reporting. [NIST Glossary]

Measurements are “observations that quantitatively reduce uncertainty.” [Hubbard, D., Seiersen, R., Geer Jr., D., and McClure, S. (2016). How to Measure Anything in Cybersecurity Risk. John Wiley & Sons]

Metric(s)

Tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. [NIST Glossary]

A quantifiable entity that allows the measurement of the achievement of a process goal (metrics should be SMART—specific, measurable, actionable, relevant, and timely; complete metric guidance defines the unit used, measurement frequency, ideal target value (if appropri-ate), and also the procedure to carry out the measurement and the procedure for the interpretation of the assessment). [ISACA Glossary]

Natural Person Natural Person A human being as distinguished from a person (as a corporation) created by operation of law. [GDPR Art. 4]

Operational Measure-ment

Operational measures and metrics are prepared by a person or group responsible for the control/requirement being measured (e.g., the control owner) or by a person or group influenced by the control owner (a subordinate, a peer reporting to the same department head, etc.). [HITRUST]

Overlay

A specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. [NIST Glossary]

Personal Data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. [GDPR Art. 4]

PolicyOverall intention and direction as formally expressed by management, most often articulated in documents that record high-level principles or course of actions; the intended purpose is to influence and guide both present and future decision making to be in line with the philoso-phy, objectives, and strategic plans established by the enterprise’s management teams. [Adapted from the ISACA Glossary]

ProcedureA detailed description of the steps necessary to perform specific operations in conformance with applicable standards. Procedures are defined as part of processes. [Adapted from the ISACA Glossary]

Residual Risk The portion or amount of risk remaining after security measures have been applied. [NIST Glossary]

ResilienceThe ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. [NIST Glossary]

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Information-related] … risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, [and] other organizations…. [NIST Glossary, adapted]

Risk Acceptance The formal acceptance of a specific amount of risk by an individual or organization. [HITRUST]

Risk AnalysisThe process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with ‘Risk Assessment.’ [NIST Glossary]

Risk Appetite The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value. [NIST Glossary]

Risk Assessment

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individ-uals, other organizations, and the Nation resulting from the operation of a system. A part of risk management, risk acceptance incorpo-rates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with ‘Risk Analysis.’ [NIST Glossary, adapted]

Risk Avoidance The elimination of risk by not engaging in a specific activity. [HITRUST]

Risk Capacity The maximum amount of risk that an organization can tolerate. [HITRUST]

Risk Evaluation The process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISACA Glossary]

Risk ManagementThe program and supporting processes to manage information security risk … and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time. [NIST Glossary, adapted]

Risk MitigationPrioritizing, evaluating, and implementing appropriate risk-reducing controls or countermeasures recommended from the risk management process. [NIST Glossary, adapted]

Risk Mitigation PlanA strategy for mitigating risk that seeks to minimize the risk to an acceptable level. [CERT RMM v1.2] Synonymous with ‘risk strategy.’ [HITRUST]

Risk Tolerance The level of risk an entity is willing to assume in order to achieve a potential desired result for a specific activity. [NIST Glossary, adapted]

https://csrc.nist.gov/glossary/term/measures


https://csrc.nist.gov/glossary/term/measurement

https://csrc.nist.gov/glossary/term/metrics


https://gdpr-info.eu/art-4-gdpr/

https://csrc.nist.gov/glossary/term/overlay

https://csrc.nist.gov/glossary/term/overlay

https://gdpr-info.eu/art-4-gdpr/



https://csrc.nist.gov/glossary/term/residual_risk

https://csrc.nist.gov/glossary/term/resilience

https://csrc.nist.gov/glossary/term/risk

https://csrc.nist.gov/glossary/term/risk_analysis

https://csrc.nist.gov/glossary/term/Risk_Appetite

https://csrc.nist.gov/glossary/term/risk_assessment


https://csrc.nist.gov/glossary/term/risk-management

https://csrc.nist.gov/glossary/term/risk_mitigation

https://csrc.nist.gov/glossary/term/risk_tolerance



Risk Transference The redirecting or sharing of risk with another party, e.g., through insurance or indemnification. [HITRUST]

Risk TreatmentSelecting and implementing mechanisms to modify risk. Risk treatment options can include avoiding, optimizing, transferring, or retaining [accepting] risk. [ENISA Glossary]

Root-Cause Analysis (RCA)

A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks. [NIST Glossary]An approach for determining the underlying causes of events or problems as a means of addressing the symptoms of such events as they manifest in organizational disruptions. [CERT RMM v1.2]

RubricAn evaluation tool or set of guidelines to facilitate measurement against a consistent set of criteria. [Adapted from the Glossary of Educa-tion Reform]

Safeguards

Protective measures prescribed to meet the privacy (e.g., data quality, transparency of use of personal data) and security (e.g., confidential-ity, integrity, and availability) requirements specified for an information system. Safeguards may include privacy and security features, man-agement constraints, personal data minimization, use limitations for personal data, personnel security, and security of physical structures, areas, and devices. Synonymous with ‘Security Controls’ and ‘Countermeasures.’ [NIST Glossary, adapted]

Sensitive InformationSensitive Information Any type of information subject to security, privacy, and/or risk regulations that is to be secured from unauthorized access, use, disclosure, disruption, modification, or destruction to maintain confidentiality, integrity, and/or availability. [HITRUST Glossary]

ScalingThe act of applying the considerations necessary to select a specific control baseline in control frameworks with multiple baselines. A part of scoping. [NIST SP 800-53 r4, derived from the discussion on Tailoring]

ScopingThe act of applying specific technology-related, infrastructure-related, public access-related, scalability-related, common security control-re-lated, and risk-related considerations on the applicability and implementation of individual security and privacy controls in the control baseline. Scoping considerations are considered a part of tailoring guidance. [NIST Glossary, derived from Scoping Guidance]

Security Assessment See ‘Security Control Assessment.’

Security ControlsProtective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [NIST Glossary] See ‘Control.’ Synonymous with ‘Safeguards’ and ‘Countermeasures.’

Security Control(s) Assessment

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intend-ed, and producing the desired outcome with respect to meeting the security requirements for a system or organization. [NIST Glossary]

Security Control Baseline

A set of information security controls that has been established through information security strategic planning activities to address one or more specified security categorizations; this set of security controls is intended to be the initial security control set selected for a specific system once that system’s security categorization is determined. [NIST Glossary]

Security DomainAn environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. [NIST Glossary]

Security PolicySecurity policies define the objectives and constraints for the security program. Policies are created at several levels, ranging from orga-nization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology independent. [NIST Glossary]

Security Practice Assessment

See ‘Security Control Assessment.’

Sensitive InformationInformation where the loss, misuse, or unauthorized access or modification could adversely affect the [organization] or the conduct of [organizational] programs [or services], or the privacy to which individuals are entitled [by law]. [Adapted from the NIST Glossary]

Segregation/ Separa-tion of Duties

A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets, and is commonly used so that no single person is in a position to introduce fraud-ulent or malicious code without detection. [ISACA Glossary, adapted]

Service An act or activity performed on behalf of another party. [HITRUST]

StandardA document, established by consensus and approved by a recognized body, that provides for common and repeated use rules, guidelines, or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context. [NIST Glossary]

Standard ProcessAn operational definition of the basic process that guides the establishment of a common process in an organization. A standard process describes the fundamental process elements that are expected to be incorporated into any defined process. It also describes relationships (e.g., ordering, interfaces) among these process elements. See also ‘Defined Process.’ [CERT RMM v1.2]

Tailored Security Con-trol Baseline

A set of security controls resulting from the application of tailoring guidance to the security control baseline. See ‘Tailoring.’ [NIST Glossary]

Tailoring

The process by which security control baselines are modified by: (i) identifying and designating common controls; (ii) applying scoping considerations on the applicability and implementation of baseline controls; (iii) selecting compensating security controls; (iv) assigning specific values to organization-defined security control parameters; (v) supplementing baselines with additional security controls or control enhancements; and (vi) providing additional specification information for control implementation. [NIST Glossary]

Standard of Care The degree of care or competence that one is expected to exercise in a particular circumstance or role. [FindLaw Dictionary]

Undocumented Not supported by written proof. [Cambridge Dictionary]

Additional definitions are available in the HITRUST Glossary of Terms and Acronyms v4xlviii and CMMC Appendices v1.02, App. C.

https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment

https://csrc.nist.gov/glossary/term/Root_Cause_Analysis

https://www.edglossary.org/rubric/

https://www.edglossary.org/rubric/

https://csrc.nist.gov/glossary/term/safeguards


https://csrc.nist.gov/glossary/term/security_controls

https://csrc.nist.gov/glossary/term/security_control_assessment

https://csrc.nist.gov/glossary/term/security_control_baseline

https://csrc.nist.gov/glossary/term/security_domain

https://csrc.nist.gov/glossary/term/security_policy

https://csrc.nist.gov/glossary/term/sensitive-information


https://csrc.nist.gov/glossary/term/Standard

https://csrc.nist.gov/glossary/term/Tailored_Security_Control_Baseline

https://csrc.nist.gov/glossary/term/tailoring

https://dictionary.findlaw.com/definition/standard-of-care.html

https://dictionary.cambridge.org/dictionary/english/undocumented



Appendix B – HITRUST CSF Structure

Figure 8. HITRUST CSF Framework Structure – CSF Control Categories and Objectives

0. InfoSec Management

Program

1. Access Control

0.01 InfoSec Mgmt. Program

1.01 Bus. Req’ts for Access Control

2. Human Resources

Security3. Risk

Management

2.01 Prior to Employment

3.01 Risk Mgmt. Program

2.02 During Onboarding

4. Security Policy

5. Organization of InfoSec

4.01 Infosec Policy

5.01 Internal Organization

5.02 External Parties

6.03 InfoSys Audit Considerations

6.02 Compliance w/ Security Policy

6. Compliance

7. Asset Management

6.01 Compliance w/ Legal Req’ts

7.01 Responsibility for Assets

7.02 Information Classification

8. Physical & Environmental

Security9. Comm. & Operations

Management

8.01 Secure Areas

9.01 Documented Ops Procedures

9.02 Third Party Service Delivery

8.02 Equipment Security

10. InfoSys Acq., Development &

Mgmt.11. InfoSec

Incident Management

10.01 Sec. Req’tsin InfoSys

11.01 Incident & Weakness Report.

11.02 Incident & Improvement Mgmt.

10.03 Crypto. Controls

10.02 Correct Processing in Apps

12. Business Continuity

13. Privacy Practices

12.01 InfoSec Aspects of BCM

- CSF Control

- CSF Control Objective

10.04 Security of System Files

1.04 Network Access Control

1.05 OS Access Control

1.06 App. & Info. Access Control

1.07 Mobile Comp. & Telework

1.02 Auth. Access to InfoSys

1.03 User Responsibilities

2.04 Term. Or Change of Employ.

2.03 During Employment

9.05 Information Backup

9.06 Network Security Mgmt.

9.07 MediaHandling

9.08 Exchange of Information

9.03 System Plan. & Acceptance

9.04 Malicious/ Mobile Code Prot.

9.09 E-Commerce Services

9.10 Monitoring

10.05 Sec. in Dev. & Support Processes

10.06 Vulnerability Management

13.01 Transparency

13.02 Individual Participation

13.03 Purpose Specification

13.04 Data Minimization

13.05 Use Limitation

13.06 Data Quality & Integrity

13.07 Accountability & Auditing

CSF V9.2



Table 13. HITRUST CSF Control Categories, Control Objectives and Controls

Control Category: 0.0 - Information Security Management Program Control Reference: 08.l Secure Disposal or Re-Use of Equipment

Objective Name: 0.01 Information Security Management Program Control Reference: 08.m Removal of Property

Control Reference: 00.a Information Security Management Program Control Category: 09.0 - Communications and Operations Management

Control Category: 01.0 - Access Control Objective Name: 09.01 Documented Operating Procedures

Objective Name: 01.01 Business Requirement for Access Control Control Reference: 09.a Documented Operations Procedures

Control Reference: 01.a Access Control Policy Control Reference: 09.b Change Management

Objective Name: 01.02 Authorized Access to Information Systems Control Reference: 09.c Segregation of Duties

Control Reference: 01.b User Registration Control Reference: 09.d Separation of Dev, Test, and Ops Environments

Control Reference: 01.c Privilege Management Objective Name: 09.02 Control Third Party Service Delivery

Control Reference: 01.d User Password Management Control Reference: 09.e Service Delivery

Control Reference: 01.e Review of User Access Rights Control Reference: 09.f Monitoring and Review of Third Party Services

Objective Name: 01.03 User Responsibilities Control Reference: 09.g Managing Changes to Third Party Services

Control Reference: 01.f Password Use Objective Name: 09.03 System Planning and Acceptance

Control Reference: 01.g Unattended User Equipment Control Reference: 09.h Capacity Management

Control Reference: 01.h Clear Desk and Clear Screen Policy Control Reference: 09.i System Acceptance

Objective Name: 01.04 Network Access Control Objective Name: 09.04 Protection Against Malicious and Mobile Code

Control Reference: 01.i Policy on the Use of Network Services Control Reference: 09.j Controls Against Malicious Code

Control Reference: 01.j User Authentication for External Connections Control Reference: 09.k Controls Against Mobile Code

Control Reference: 01.k Equipment Identification in Networks Objective Name: 09.05 Information Back-Up

Control Reference: 01.l Remote Diagnostic and Configuration Port Protection Control Reference: 09.l Back-up

Control Reference: 01.m Segregation in Networks Objective Name: 09.06 Network Security Management

Control Reference: 01.n Network Connection Control Control Reference: 09.m Network Controls

Control Reference: 01.o Network Routing Control Control Reference: 09.n Security of Network Services

Objective Name: 01.05 Operating System Access Control Objective Name: 09.07 Media Handling

Control Reference: 01.p Secure Log-on Procedures Control Reference: 09.o Management of Removable Media

Control Reference: 01.q User Identification and Authentication Control Reference: 09.p Disposal of Media

Control Reference: 01.r Password Management System s Control Reference: 09.q Information Handling Procedure

Control Reference: 01.s Use of System Utilities Control Reference: 09.r Security of System Documentation

Control Reference: 01.t Session Time-out Objective Name: 09.08 Exchange of Information

Control Reference: 01.u Limitation of Connection Time Control Reference: 09.s Information Exchange Policies and Procedures

Objective Name: 01.06 Application and Information Access Control Control Reference: 09.t Exchange Agreements

Control Reference: 01.v Information Access Restriction Control Reference: 09.u Physical Media in Transit

Control Reference: 01.w Sensitive System Isolation Control Reference: 09.v Electronic Messaging

Objective Name: 01.07 Mobile Computing and Teleworking Control Reference: 09.w Interconnected Business Information Systems

Control Reference: 01.x Mobile Computing and Communications Objective Name: 09.09 Electronic Commerce Services

Control Reference: 01.y Teleworking Control Reference: 09.x Electronic Commerce Services



Control Category: 02.0 - Human Resources Security Control Reference: 09.y On-line Transactions

Objective Name: 02.01 Prior to Employment Control Reference: 09.z Publicly Available Information

Control Reference: 02.a Roles and Responsibilities Objective Name: 09.10 Monitoring

Control Reference: 02.b Screening Control Reference: 09.aa Audit Logging

Objective Name: 02.02 During On-Boarding Control Reference: 09.ab Monitoring System Use

Control Reference: 02.c Terms and Conditions of Employment Control Reference: 09.ac Protection of Log Information

Objective Name: 02.03 During Employment Control Reference: 09.ad Administrator and Operator Logs

Control Reference: 02.d Management Responsibilities Control Reference: 09.ae Fault Logging

Control Reference: 02.e InfoSec Awareness, Education, and Training Control Reference: 09.af Clock Synchronization

Control Reference: 02.f Disciplinary Process Control Category: 10.0 - InfoSys Acquisition, Dev, and Maintenance

Objective Name: 02.04 Termination or Change of Employment Objective Name: 10.01 Security Requirements of Information Systems

Control Reference: 02.g Termination or Change Responsibilities Control Reference: 10.a Security Requirements Analysis and Specification

Control Reference: 02.h Return of Assets Objective Name: 10.02 Correct Processing in Applications

Control Reference: 02.i Removal of Access Rights Control Reference: 10.b Input Data Validation

Control Category: 03.0 - Risk Management Control Reference: 10.c Control of Internal Processing

Objective Name: 03.01 Risk Management Program Control Reference: 10.d Message Integrity

Control Reference: 03.a Risk Management Program Development Control Reference: 10.e Output Data Validation

Control Reference: 03.b Performing Risk Assessments Objective Name: 10.03 Cryptographic Controls

Control Reference: 03.c Risk Mitigation Control Reference: 10.f Policy on the Use of Cryptographic Controls

Control Reference: 03.d Risk Evaluation Control Reference: 10.g Key Management

Control Category: 04.0 - Security Policy Objective Name: 10.04 Security of System Files

Objective Name: 04.01 Information Security Policy Control Reference: 10.h Control of Operational Software

Control Reference: 04.a Information Security Policy Document Control Reference: 10.i Protection of System Test Data

Control Reference: 04.b Review of the Information Security Policy Control Reference: 10.j Access Control to Program Source Code

Control Category: 05.0 - Organization of Information Security Objective Name: 10.05 Security in Development and Support Processes

Objective Name: 05.01 Internal Organization Control Reference: 10.k Change Control Procedures

Control Reference: 05.a Management Commitment to Information Security Control Reference: 10.l Outsourced Software Development

Control Reference: 05.b Information Security Coordination Objective Name: 10.06 Technical Vulnerability Management

Control Reference: 05.c Allocation of Information Security Responsibilities Control Reference: 10.m Control of Technical Vulnerabilities

Control Reference: 05.d Authorization Process for Info Assets and Facilities Control Category: 11.0 - Information Security Incident Management

Control Reference: 05.e Confidentiality Agreements Objective Name: 11.01 Reporting InfoSec Incidents and Weaknesses

Control Reference: 05.f Contact with Authorities Control Reference: 11.a Reporting Information Security Events

Control Reference: 05.g Contact with Special Interest Groups Control Reference: 11.b Reporting Security Weaknesses

Control Reference: 05.h Independent Review of Information Security Objective Name: 11.02 Management of InfoSec Incidents and Improvements

Objective Name: 05.02 External Parties Control Reference: 11.c Responsibilities and Procedure

Control Reference: 05.i Identification of Risks Related to External Parties Control Reference: 11.d Learning from Information Security Incidents

Control Reference: 05.j Addressing Security When Dealing with Customers Control Reference: 11.e Collection of Evidence

Control Reference: 05.k Addressing Security in Third Party Agreements Control Category: 12.0 - Business Continuity Management



Control Category: 06.0 - Compliance Objective Name: 12.01 InfoSec Aspects of Business Continuity Management

Objective Name: 06.01 Compliance with Legal Requirements Control Reference: 12.a Including InfoSec in the BC Management Process

Control Reference: 06.a Identification of Applicable Legislation Control Reference: 12.b Business Continuity and Risk Assessment

Control Reference: 06.b Intellectual Property Rights Control Reference: 12.c Developing & Implementing BC Plans Incl. InfoSec

Control Reference: 06.c Protection of Organizational Records Control Reference: 12.d Business Continuity Planning Framework

Control Reference: 06.d Data Protection and Privacy of Covered Information Control Reference: 12.e Testing, Maintaining and Re-Assessing BC Plans

Control Reference: 06.e Prevention of Misuse of Information Assets Control Category: 13.0 - Privacy Practices

Control Reference: 06.f Regulation of Cryptographic Controls Objective Name: 13.01 Transparency

Objective Name: 06.02 Compliance w/ Security Policies/Stds. & Tech. Compliance Control Reference: 13.a Privacy Notice

Control Reference: 06.g Compliance with Security Policies and Standards Control Reference: 13.b Openness and Transparency

Control Reference: 06.h Technical Compliance Checking Control Reference: 13.c Accounting of Disclosures

Objective Name: 06.03 Information System Audit Considerations Objective Name: 13.02 Individual Participation

Control Reference: 06.i Information Systems Audit Controls Control Reference: 13.d Consent

Control Reference: 06.j Protection of Information Systems Audit Tools Control Reference: 13.e Choice

Control Category: 07.0 - Asset Management Control Reference: 13.f Principle Access

Objective Name: 07.01 Responsibility for Assets Objective Name: 13.03 Purpose Specification

Control Reference: 07.a Inventory of Assets Control Reference: 13.g Purpose Legitimacy

Control Reference: 07.b Ownership of Assets Control Reference: 13.h Purpose Specification

Control Reference: 07.c Acceptable Use of Assets Objective Name: 13.04 Data Minimization

Objective Name: 07.02 Information Classification Control Reference: 13.i Collection Limitation

Control Reference: 07.d Classification Guidelines Control Reference: 13.j Data Minimization

Control Reference: 07.e Information Labeling and Handling Objective Name: 13.05 Use Limitation

Control Category: 08.0 - Physical and Environmental Security Control Reference: 13.k Use and Disclosure

Objective Name: 08.01 Secure Areas Control Reference: 13.l Retention and Disposal

Control Reference: 08.a Physical Security Perimeter Objective Name: 13.06 Data Quality and Integrity

Control Reference: 08.b Physical Entry Controls Control Reference: 13.m Accuracy and Quality

Control Reference: 08.c Securing Offices, Rooms, and Facilities Control Reference: 13.n Participation and Redress

Control Reference: 08.d Protecting Against External and Environmental Threats Control Reference: 13.o Compliant Management

Control Reference: 08.e Working in Secure Areas Objective Name: 13.07 Accountability & Auditing

Control Reference: 08.f Public Access, Delivery, and Loading Areas Control Reference: 13.p Governance

Objective Name: 08.02 Equipment Security Control Reference: 13.q Privacy and Impact Assessment

Control Reference: 08.g Equipment Siting and Protection Control Reference: 13.r Privacy Requirements for Contractors and Processors

Control Reference: 08.h Supporting Utilities Control Reference: 13.s Privacy Monitoring and Auditing

Control Reference: 08.i Cabling Security Control Reference: 13.t Privacy Protection Awareness and Training

Control Reference: 08.j Equipment Maintenance Control Reference: 13.u Privacy Protection Reporting

Control Reference: 08.k Security of Equipment Off-Premises



Appendix C – HITRUST CSF Assessment Methodology

Table 14. HITRUST CSF Control Implementation Maturity Model

Maturity Level Requirement Statement-Level Evaluation Criteria

1 - Policy

• Do formal, up-to-date policies or standards exist that contain “shall” or “will” statements for each element of the requirement statement?

• Do the policies and standards that exist for each element of the requirement statement cover all major facilities and operations for the organizations and/or systems/assets in scope for the assessment?

• Are the policies and standards that exist for each element of the requirement statement approved by management and communicated to the workforce?

2 - Procedure

• Do formal, up-to-date, documented procedures exist for the implementation of each element of the requirement statement?• Do the procedures clarify operational aspects such as how, when, who, and on what the action/control/requirement is to be

performed?• Do the procedures outline stakeholder responsibilities?• Do the procedures address each element of the requirement statement across all applicable facilities, operations, and/or systems/

assets in scope?• Are procedures for the implementation of each element of the requirement statement communicated to the individuals who are

required to follow them?• Are the procedures approved by management?

3 - Implemented

• Is each element of the requirement statement implemented in a consistent manner everywhere that the policy and procedure apply, i.e., across the entire scope of applicable organizational and system elements, including the physical and logical systems used by a third party that support the workflows for the products and/or services provided by the organization?

• Are ad hoc approaches that tend to be applied on an individual or on a case-by-case basis discouraged?

4 – Measured

• Are self-assessments, audits, and/or tests routinely performed or other measures and/or metrics collected to evaluate the adequacy and effectiveness of the implementation of each element of the requirement statement?

• Are evaluation requirements, including requirements regarding the type and frequency of self-assessments, audits, tests, and/or metrics collection documented, approved, and effectively implemented?

• Does the frequency and rigor with which each element of the requirement statement is evaluated depend on the risks that will be posed if the implementation is not operating effectively?

• Are measures supported by documentation that specifically addresses what is measured, who is responsible for gathering the data, how the data is recorded, how the measurement is performed/calculated, and how often the measurement is reviewed and by whom?

• Do metrics meet all the requirements of a measure? Are they also tracked over time, and do they have explicitly stated (not implied) established thresholds (i.e., upper and/or lower bounds on a value) or targets (i.e., targeted goals, what the organization is trying to achieve)?

5 – Managed

• Is there a defined mechanism to track issues, risks, and risk treatment decisions?• Are effective corrective actions taken or other risk treatments applied to address identified weaknesses in the elements of the

requirement statement, including those identified as a result of potential or actual information security incidents or through information security alerts?

• Are measures and/or metrics provided to an appropriate level of management or, if not, is there a defined escalation or review process so that action may be taken by an appropriate level of management?

• Do decisions around corrective actions consider cost, level of risk, and mission impact?



Table 15. HITRUST Assessment Procedures by Maturity Level - Example

HITRUST CSF Control Implementation Requirement

Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely.

Maturity Level Assessment Procedures

Policy

Examine policies and/or standards related to the management of network services and determine if the ability of the network service provider to manage agreed services in a secure way is determined and regularly monitored, and the right to audit is agreed to by management. The security arrangements necessary for these services, including security features, service levels, and management requirements, are identified and documented. If no written policy or standard exists, interview control owner(s) responsible for, key staff involved in/with, and/or other rel-evant stakeholders impacted by the policy/control requirement(s) and determine if the requirement(s) is/are understood. Evidence of ad hoc or informal policy may also be provided by observing individuals, systems, and/or processes associated with the management of network services to determine if the policy requirements are generally understood and implemented consistently. Review any written procedure(s) or examine documentation associated with informal or ad hoc processes to determine if the requirement(s) is/are addressed consistently by the entity.

Procedure

Determine if written procedures exist for management of network services and whether the procedure(s) address(es) each element of the policy/control requirement(s) stipulated in the policy level. Interview control owner(s) responsible for, key staff involved in/with, and/or other relevant stakeholders impacted by the policy/control requirements to determine if the procedure(s) address(es) all the required elements of the policy/control requirement(s) whether a written policy or procedure exists. Confirm their understanding of the procedure(s) as implemented and compare their understanding to any existing written procedure(s) to determine if they are consistent.

Implemented

Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), key staff, and/or relevant stakeholders, as needed, for the management of network services and determine if the policy/control requirements stipulated in the policy level have been implemented. For example, obtain a list of network service providers, including any internal network services provided locally or as an enterprise service, and compare the list to a list of network services agreements. Verify that each provider, including any internally provided services, has a network services agreement. Examine a representative sample of network services agreements and ensure they address the policy requirements for security, including the right to audit. If the original dates of the agreements can be determined, verify the network services agreements sampled were established prior to implementing/using the services. Ask if any of the service providers, including those provided by an internal network services manager, have been audited. Review documentation substantiating the audits. Review documenta-tion substantiating the monitoring of these network services, including any actions taken to actively manage any security-relevant issues with the provided services.

Measured

Examine measure(s) that evaluate(s) the organization's compliance with the third-party management policy and determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the policy level. For example, the measure(s) could indicate the number of network services that do not have a policy-compliant network services agreement as a % of all network services received. Non-compliance with the policy requirements could be part of a broader metric that considers all deviations from network services require-ments regardless of type if non-compliance with the requirements for network services agreements can be ascertained. Reviews, tests, or audits should be completed by the organization to measure the effectiveness of the implemented controls and to confirm that agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. Note a broader or more general measure may be used if a root cause analysis or similar examination would indicate a deficiency in the stipulated policy/control requirement(s) was the source of the observed deviation. A measure could also include regular or "ad hoc" reports or audits if it considers implementation of the appropriate policy/control requirement(s). If a metric adequately evaluates implementation of the policy/control require-ment(s), also determine if the metric's frequency of observation (e.g., daily, weekly, or monthly) and performance targets (e.g., above 99% or no more than 5%) are appropriate for the policy/control requirement(s).

Managed

Obtain and examine supporting documentation maintained as evidence of these metrics, measures, tests, or audits to determine if the office or individual responsible reviews the information and, if issues were identified, they were investigated and corrected. Determine if the individ-ual or office can correct issues without the need to routinely escalate the issues to the next level of management. Note the ability to escalate issues must also exist if the root cause of a specific incident cannot be addressed by the individual or office receiving and reviewing the metric or measurement. Examine related records to determine if the individual or office conducted any follow-ups on the deviations, and verify they were corrected as intended. If written records do not exist, interview personnel who receive and review the metric(s) to determine if ad hoc processes for investigation and resolution exist and if deviations occurred and were corrected.



Appendix D – HITRUST Support for the NIST Cybersecurity Framework

The diagram below depicts the relationship between the underlying Informative References used to support risk analysis and control specification with the NIST Cybersecurity Framework’s Core,

Profiles and Implementation Tiers.

Figure 9. HITRUST Support for the NIST Cybersecurity Framework



Appendix E – CMMC Domains and Capabilities

TCMMC Capabilities are provided by Domain along with the distribution of Practices by Domain and Capability.10

Table 16. Number of CMMC Practices by CMMC Domain and Capability

CMMC Domain CMMC CapabilityCMMC Practices

L1 L2 L3 L4 L5 Totals

D01. Access Control (AC)

C001. Establish system access requirements 1 2 3

C002. Control internal system access 1 5 5 2 1 14

C003. Control remote system access 2 2 1 5

C004. Limit data access to authorized users and processes 2 1 1 4

Domain Subtotals 4 10 8 3 1 26

D02. Asset Management (AM)

C005. Identify and document assets 1 1

C006. Manage asset inventory 1 1

Domain Subtotals 1 1 2

D03. Audit and Account-ability (AU)

C.007 Define audit requirements 1 2 3

C008. Perform auditing 2 1 1 4

C009. Identify and protect audit information 2 2

C010. Review and manage audit logs 1 2 2 5

Domain Subtotals 4 7 2 1 14

D04. Awareness and Training (AT)

C011. Conduct security awareness activities 1 1 2 4

C012. Conduct Training 1 1

Domains Subtotals 2 1 2 5

D05. Configuration Man-agement (CM)

C013. Establish configuration baselines 3 3

C014. Perform configuration and change management 3 3 1 1 8

Domain Subtotals 11

D06. Identification and Authentication

C015. Grant access to authenticated entities 2 5 4 11

Domain Subtotals 11

D07. Incident Response

C016. Plan incident response 1 1 1 3

C017. Detect and report events 2 2

C018. Develop and implement a response to a declared incident 1 1 1 2 5

C019. Perform post-incident reviews 1 1

C020. Test incident response 1 1 2


D08. Maintenance (MA)C021. Manage maintenance 4 2 6


10 CMMC Domains and Capabilities were obtained and Practice counts were derived from CMMC Model v1.02 and CMMC Appendices v1.02.



CMMC Domain CMMC CapabilityCMMC Practices

L1 L2 L3 L4 L5 Totals

D09. Media Protection (MP)

C022. Identify and mark media 1 1

C023. Protect and control media 3 1 4

C024. Sanitize media 1 1

C025. Protect media during transport 2 2

Domain Subtotals 1 3 4 8

D10. Personnel Security (PS)

C026. Screen personnel 1 1

C027. Protect CUI during personnel actions 1 1

Domain Subtotals 2 2

D11. Physical Protection (PE)

C028. Limit physical access 4 1 1 6


D12. Recover (RE)

C029. Manage backups 2 1 3

C030. Manage information security continuity 1 1


D13. Risk Management (RM)

C031. Identify and evaluate risk 2 1 3 6

C032. Manage risk 1 2 2 5

C033. Manage supply chain risk 1 1


D14. Security Assessment (CA)

C034. Develop and manage a system security plan 1 1 2

C035. Define and manage controls 2 1 2 5

C036. Perform code reviews 1 1


D15. Situational Awareness (SA)

C037. Implement threat monitoring 1 2 3


D16. Systems and Commu-nications Protection (SC)

C038. Define security requirements for systems and communications 2 13 2 2 19

C039. Control communications at system boundaries 2 2 3 1 8


D17. System and Informa-tion Integrity (SI)

C040. Identify and manage information system flaws 1 1 1 3

C041. Identify malicious content 3 1 4

C042. Perform network and system monitoring 2 1 1 4

C043. Implement advanced email protections 2 2


Totals 17 55 58 26 15 171



Appendix F – CMMC Practices

CMMC Practices and associated Capability, organized by Domain and Practice level, are provided along with mappings to NIST

Cybersecurity Framework Core Subcategories and HITRUST CSF Controls.11,12 HITRUST CSF Control Numbers marked by an asterisk

indicate controls that provide primary support for the associated CMMC Practice. The remaining controls provide additional support for

CMMC Practice implementation.

Table 17. CMMC Practices with Mappings to the NIST Cybersecurity Framework and HITRUST CSF

CMMC Practice ID

CMMC Capability ID

CMMC Practice DescriptionNIST CsF Element

No.HITRUST CSF Control No.

D01 ACCESS CONTROL (AC)

Level 1

AC.1.001 C001Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-3PR.PT-4

01.a*01.b01.e01.i01.q01.s01.v01.x01.y02.i06.c09.m09.x09.y10.j

AC.1.002 C002Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

PR.AC-1PR.AC-3PR.AC-4PR.AC-6PR.PT-3PR.PT-4

01.a01.b*01.c01.e01.i01.s01.v02.i09.s10.j

AC.1.003 C004 Verify and control/limit connections to and use of external information systems.ID.AM-4PR.AC-3

01.i*09.m*09.s

AC.1.004 COO4Control information posted or processed on publicly accessible information systems.

Does Not Map 09.z*

Level 2

AC.2.005 C001 Provide privacy and security notices consistent with applicable CUI rules. Does Not Map01.p05.j06.e*

AC.2.006 C001 Limit use of portable storage devices on external systems.ID.AM-4PR.PT-2

09.s*

11 CMMC Practice and Capability IDs, CMMC Practice Descriptions, and NIST Cybersecurity Framework Mappings were obtained from CMMC Model v1.02 and CMMC

Appendices v1.02.12 Mappings to HITRUST CSF Control Numbers are based on Control Specifications; a more complete mapping to HITRUST CSF Control Implementation Requirements

will be available beginning with the HITRUST CSF v9.4 release.



CMMC Practice ID

CMMC Capability ID



AC.2.007 C002Employ the principle of least privilege, including for specific security functions and privileged accounts.

PR.AC-4

01.a*01.c01.i01.q01.s10.j

AC.2.008 C002 Use non-privileged accounts or roles when accessing non-security functions. Does Not Map 01.c*

AC.2.009 C002 Limit unsuccessful logon attempts. PR.AC-7 01.p*

AC.2.010 C002Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Does Not Map01.g01.h01.t*

AC.2.011 C002 Authorize wireless access prior to allowing such connections. PR.PT-4

01.i01.j07.a*09.m*

AC.2.013 C003 Monitor and control remote access sessions.PR.AC-3PR.PT-4

01.j*

AC.2.015 C003 Route remote access via managed access control points.PR.AC-3PR.PT-4

01.n*

AC.2.016 C004 Control the flow of CUI in accordance with approved authorizations.

ID.AM-3PR.AC-5PR.DS-5PR.PT-4

01.m*09.s*

Level 3

AC.3.012 C002 Protect wireless access using authentication and encryption. PR.PT-401.j*09.m*

AC.3.014 C003Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

PR.AC-3PR.PT-4

05.i09.s*

AC.3.017 C002Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

PR.AC-4 09.c*

AC.3.018 C002Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

PR.AC-4 01.c*

AC.3.019 C002 Terminate (automatically) user sessions after a defined condition. Does Not Map 01.t*

AC.3.020 C002 Control connection of mobile devices.PR.AC-3PR.AC-6

01.x*

AC.3.021 C003Authorize remote execution of privileged commands and remote access to securi-ty-relevant information.

PR.AC-3PR.PT-4

01.j*

AC.3.022 C004 Encrypt CUI on mobile devices and mobile computing platforms. PR.AC-301.x*10.f*

Level 4

AC.4.023 C002 Control information flows between security domains on connected systems.

ID.AM-3PR.AC-5PR.DS-5PR.PT-4DE.AE-1

01.m*09.m*

AC.4.025 C002 Periodically review and update CUI program access permissions. Does Not Map 01.e*

AC.4.032 C003Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role.

Does Not Map01.j09.s*

Level 5

AC.5.024 C002Identify and mitigate risk associated with unidentified wireless access points con-nected to the network.

PR.DS-5DE.AE-1DE.CM-7

09.m*

D02 ASSET MANAGEMENT (AM)

Level 1

None



CMMC Practice ID

CMMC Capability ID



Level 2

None

Level 3

AM.3.036 C005 Define procedures for the handling of CUI data. Does Not Map06.c*09.q

Level 4

AM.4.226 C006Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.

ID.AM-1ID.AM-2

07.a*

Level 5

None

D03 AUDIT AND ACCOUNTABILITY (AU)

Level 1

None

Level 2

AU.2.041 C007Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

DE.CM-1DE.CM-3DE.CM-7

01.q*09.aa09.ac09.ad09.ae

AU.2.042 C008Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

DE.CM-1DE.CM-3DE.CM-7

09.aa*09.ac09.ad09.ae10.h

AU.2.043 C008Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

PR.PT-1 09.af*

AU.2.044 C010 Review audit logs. PR.PT-1 09.ab*

Level 3

AU.3.045 C007 Review and update logged events. Does Not Map 09.aa*

AU.3.046 C007 Alert in the event of an audit logging process failure. Does Not Map 09.ac*

AU.3.048 C008 Collect audit information (e.g., logs) into one or more central repositories. Does Not Map09.aa*09.ab*09.ac*

AU.3.049 C009Protect audit information and audit logging tools from unauthorized access, modi-fication, and deletion.

Does Not Map

06.c06.j09.ac*09.ad

AU.3.050 C009 Limit management of audit logging functionality to a subset of privileged users. Does Not Map06.j*09.ac

AU.3.051 C010Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

DE.AE-3 09.ab*

AU.3.052 C010Provide audit record reduction and report generation to support on-demand analysis and reporting.

RS.AN-3 09.ab*

Level 4

AU.4.053 C010Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally-defined suspicious activity.

DE.AE-3 09.ab*

AU.4.054 C010 Review audit information for broad activity in addition to per-machine activity. PR.PR-1 09.ab*

Level 5

AU.5.055 C008Identify assets not reporting audit logs and assure appropriate organizationally-de-fined systems are logging.

Does Not Map 09.ab*

D04 AWARENESS AND TRAINING (AT)

Level 1



CMMC Practice ID

CMMC Capability ID



None

Level 2

AT.2.056 C011Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the ap-plicable policies, standards, and procedures related to the security of those systems.

PR.AT-1PR.AT-2PR.AT-3PR.AT-4PR.AT-5

02.e*09.j

AT.2.057 C012Ensure that personnel are trained to carry out their assigned information securi-ty-related duties and responsibilities.


02.e*

Level 3

AT.3.058 C011Provide security awareness training on recognizing and reporting potential indica-tors of insider threat.

ID.RA-3 02.e*

Level 4

AT.4.059 C011

Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious be-haviors; update the training at least annually or when there are significant changes to the threat.


02.e*11.a*

AT.4.060 C011Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.


02.e*

Level 5

None

D05 CONFIGURATION MANAGEMENT (CM)

Level 1

None

Level 2

CM.2.061 C013Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

ID.AM-1ID.AM-2PR.DS-3PR.DS-7PR.IP-1DE.AE-1

07.a*09.w10.k*

CM.2.062 C013Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

PR.IP-1PR.PT-3

01.c01.l*

CM.2.063 C013 Control and monitor user-installed software. DE.CM-3 09.j*

CM.2.064 C014Establish and enforce security configuration settings for information technology products employed in organizational systems.

ID.AM-1ID.AM-2PR.DS-3PR.DS-7PR.IP-1DE.AE-1

10.h10.k*

CM.2.065 C014 Track, review, approve, or disapprove, and log changes to organizational systems.PR.IP-1PR.IP-3

09.b10.h10.k*



CMMC Practice ID

CMMC Capability ID



CM.2.066 C014 Analyze the security impact of changes prior to implementation. PR.IP-3

03.d*09.b09.i10.h10.k

Level 3

CM.3.067 C014Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

PR.IP-1

09.b09.d10.h10.j10.k*

CM.3.068 C014Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

PR.IP-1PR.PT-3

01.l*10.h*10.m*

CM.3.069 C014Apply a deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or a deny all, permit by exception (whitelisting) policy to allow the execu-tion of authorized software.

PR.PT-301.l*10.h*

Level 4

CM.4.073 C014Employ application whitelisting and an application vetting process for systems identified by the organization.

PR.PT-3 01.l*

Level 5

CM.5.074 C014Verify the integrity and correctness of security-critical or essential software as de-fined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).

PR.DS-6PR.DS-8PR.IP-2

10.c*10.h

D06 IDENTIFICATION AND AUTHENTICATION (IA)

Level 1

IA.1.076 C015 Identify information system users, processes acting on behalf of users, or devices.PR.AC-1PR.AC-6PR.AC-7

01.j*01.q*09.m*

IA.1.077 C015Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

PR.AC-1PR.AC-6PR.AC-7

01.j01.q*09.m*

Level 2

IA.2.078 C015Enforce a minimum password complexity and change of characters when new passwords are created.


01.d*

IA.2.079 C015 Prohibit password reuse for a specified number of generations.PR.AC-1PR.AC-6PR.AC-7

01.d*

IA.2.080 C015Allow temporary password use for system logons with an immediate change to a permanent password.


01.d*

IA.2.081 C015 Store and transmit only cryptographically protected passwords.PR.AC-1PR.AC-6PR.AC-7

01.d*

IA.2.082 C015 Obscure feedback of authentication information. PR.AC-101.d01.p*

Level 3

IA.3.083 C015Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.


01.q*

IA.3.084 C015Employ replay-resistant authentication mechanisms for network access to privi-leged and nonprivileged accounts.


01.q*

IA.3.085 C015 Prevent the reuse of identifiers for a defined period. PR.AC-1PR.AC-6PR.AC-7

01.q*



CMMC Practice ID

CMMC Capability ID



IA.3.086 C015 Disable identifiers after a defined period of inactivity.PR.AC-1PR.AC-6PR.AC-7

01.b*

Level 4

None

Level 5

None

D07 INCIDENT RESPONSE (IR)

Level 1

None

Level 2

IR.2.092 C016Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

RS.RP-1

02.e05.f11.a11.c11.d*

IR.2.093 C017 Detect and report events.

DE.CM-1DE.CM- 2DE.CM-3RS.CO-2

10.c*11.a*11.b*

IR.2.094 C017 Analyze and triage events to support event resolution and incident declaration. Does Not Map11.a*11.c*

IR.2.096 C018Develop and implement responses to declared incidents according to pre-defined procedures.

RS.RP-1 11.c*

IR.2.097 C019 Perform root-cause analysis on incidents to determine underlying causes. DE.AE-2 11.d*

Level 3

IR.3.098 C018Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

RS.CO-2RS.CO-3

05.f11.a*11.c*

IR.3.099 C020 Test the organizational incident response capability. DE.DP-3 11.c*

Level 4

IR.4.100 C016Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution.

Does Not Map05.g*11.c11.d*

IR.4.101 C018Establish and maintain a security operations center capability that facilitates a 24/7 response capability.

Does Not Map11.c09.m*

Level 5

IR.5.102 C018Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.

Does Not Map11.a*11.c

IR.S.106 C016In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.

RS.AM-3

11.a11.c11.d11.e*

IR.5.108 C018Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.

Does Not Map11.a*11.c*

IR.5.110 C020Perform unannounced operational exercises to demonstrate technical and proce-dural responses.

Does Not Map 11.c*

D08 MAINTENANCE (MA)

Level 1

None

Level 2

MA.2.111 C021 Perform maintenance on organizational systems. PR.MA-1 08.j*



CMMC Practice ID

CMMC Capability ID



MA.2.112 C021Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

PR-MA-108.j*08.m

MA.2.113 C021Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

PR-MA-201.j*01.q*

MA.2.114 C021Supervise the maintenance activities of personnel without required access autho-rization.

Does Not Map 08.j*

Level 3

MA.3.115 C021 Ensure equipment removed for off-site maintenance is sanitized of any CUI. Does Not Map 08.j*

MA.3.116 C021Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

Does Not Map 08.j*

Level 4

None

Level 5

None

D09 MEDIA PROTECTION (MP)

Level 1

MP.1.118 C024Sanitize or destroy information system media containing Federal Contract Informa-tion before disposal or release for reuse.

PR.DS-308.l*09.p

Level 2

MP.2.119 C023Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

PR.PT-2

07.a07.b01.h08.l09.l09.o*09.q

MP.2.120 C023 Limit access to CUI on system media to authorized users. PR.PT-2

01.h08.l09.l09.o*09.q

MP.2.121 C023 Control the use of removable media on system components. PR.PT-2 09.o*

Level 3

MP.3.122 C022 Mark media with necessary CUI markings and distribution limitations. PR.PT-207.e09.q*

MP.3.123 C023Prohibit the use of portable storage devices when such devices have no identifiable owner.

PR.PR-207.b*07.e

MP.3.124 C025Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

PR.PT-2

08.b*08.k08.m09.o*09.q09.u

MP.3.125 C025Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Does Not Map0.9q*09.u

Level 4

None

Level 5

None

D10 PERSONNEL SECURITY (PS)

Level 1

None



CMMC Practice ID

CMMC Capability ID



Level 2

PS.2.127 C026Screen individuals prior to authorizing access to organizational systems containing CUI.

Does Not Map 02.b*

PS.2.128 C027Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

PR.AC-1

01.e02.g*02.h02.i

Level 3

None

Level 4

None

Level 5

None

D11 PHYSICAL PROTECTION (PE)

Level 1

PE.1.131 C028Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

PR.AC-208.b*08.c08.i

PE.1.132 C028 Escort visitors and monitor visitor activity. Does Not Map08.b*08.c

PE.1.133 C028 Maintain audit logs of physical access. Does Not Map08.b*08.c

PE.1.134 C028 Control and manage physical access devices. Does Not Map02.i*08.b*

Level 2

PE.2.135 C028Protect and monitor the physical facility and support infrastructure for organiza-tional systems.

PR.AC-208.b*08.c08.i*

Level 3

PE.3.136 C028 Enforce safeguarding measures for CUI at alternate work sites. Does Not Map01.y*08.k12.c*

Level 4

None

Level 5

None

D12 RECOVERY (RE)

Level 1

None

Level 2

RE.2.137 C029 Regularly perform and test data back-ups. PR.IP-409.a09.l*

RE.2.138 C029 Protect the confidentiality of backup CUI at storage locations. Does Not Map06.c09.l*

Level 3

RE.3.139 C029Regularly perform complete, comprehensive, and resilient data back-ups as organi-zationally defined.

Does Not Map09.a09.l*

Level 4

None

Level 5



CMMC Practice ID

CMMC Capability ID



RE.5.140 C030Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.

PR.IP-9

05.d10.a*12.c12.d*12.e

D13 RISK MANAGEMENT (RM)

Level 1

None

Level 2

RM.2.141 C031

Periodically assess the risk to organizational operations (including mission, func-tions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

ID.RA-1ID.RA-4DE.AE-4RS.MI-3

03.a03.b*03.d12.b

RM.2.142 C031Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

ID.RA-1 10.m*

RM.2.143 C032 Remediate vulnerabilities in accordance with risk assessments. RS.MI-3 10.m*

Level 3

RM.3.144 C031Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

ID.RA-503.b03.c*12.b*

RM.3.146 C032 Develop and implement risk mitigation plans.ID.RA-6ID.RM-1

03.c*

RM.3.147 C032Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

Does Not Map 10.h*

Level 4

RM.4.148 C033Develop and update, as required, a plan for managing supply chain risks associated with the IT supply chain.

ID.SC-1ID.SC-2

05.i*05.k*

RM.4.149 C031 Catalog and periodically update threat profiles and adversary TTPs. DE.AE-2 03.b*

RM.4.150 C031Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

ID.RA-2ID.RA-3

10.a*

RM.4.151 C031Perform scans for unauthorized ports available across perimeter network boundar-ies over the organization’s Internet network boundaries and other organizational-ly-defined boundaries.

DE.CM-701.l*10.m

Level 5

RM.5.152 C032Utilize an exception process for non-whitelisted software that includes mitigation techniques.

Does Not Map

01.l*04.a05.a09.j

RM.5.155 C032Analyze the effectiveness of security solutions at least annually to address antici-pated risk to the system and the organization based on current and accumulated threat intelligence.

Does Not Map

03.a03.b10.m*12.b

D14 SECURITY ASSESSMENT (CA)

Level 1

None

Level 2

CA.2.157 C034Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

PR.IP-705.b*09.m*10.a*

CA.2.158 C035Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

DE.DP-3

03.b05.a05.h06.g*06.h



CMMC Practice ID

CMMC Capability ID



CA.2.159 C035Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Does Not Map 03.c*

Level 3

CA.3.161 C035Monitor security controls on an ongoing basis to ensure the continued effective-ness of the controls.

PR.IP-7DE.DP-5

00.a*03.b04.a06.g

CA.3.162 C036Employ a security assessment of enterprise software that has been developed inter-nally, for internal use, and that has been organizationally defined as an area of risk.

Does Not Map 10.h*

Level 4

CA.4.163 C034Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement.

ID.RM-1RS.IM-1RS.IM-2RC.IM-1RC.IM-2

00.a05.a*

CA.4.164 C035Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.

Does Not Map 10.m*

CA.4.227 C035Periodically perform red teaming against organizational assets in order to validate defensive capabilities.

Does Not Map 10.m*

Level 5

None

D15 SITUATIONAL AWARENESS (SA)

Level 1

None

Level 2

None

Level 3

SA.3.169 C037Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.

ID.RA-2 05.g*

Level 4

SA.4.171 C037Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.

DE.CM-1DE.CM-2DE.CM-3DE.CM-4DE.CM-5DE.CM-6DE.CM-7DE.CM-8

09.ab*

SA.4.173 C037Design network and system security capabilities to leverage, integrate, and share indicators of compromise.

Does Not Map09.ab*10.a

Level 5

None

D16 SYSTEM AND COMMUNICATIONS PROTECTION (SC)

Level 1

SC.1.175 C039Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

PR.PT-4

01.m01.n*09.m*

SC.1.176 C039Implement subnetworks for publicly accessible system components that are physi-cally or logically separated from internal networks.

PR.AC-501.m*09.m09.y

Level 2

SC.2.178 C038Prohibit remote activation of collaborative computing devices and provide indica-tion of devices in use to users present at the device.

PR.AC-3 09.s*



CMMC Practice ID

CMMC Capability ID



SC.2.179 C038 Use encrypted sessions for the management of network devices. Does Not Map

01.n*01.y05.i09.m

Level 3

SC.3.177 C038Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

PR.DS-1PR.DS-2

06.d06.f*09.m

SC.3.180 C038Employ architectural designs, software development techniques, and systems engi-neering principles that promote effective information security within organizational systems.

Does Not Map

10.a*10.b10.c10.e

SC.3.181 C038 Separate user functionality from system-management functionality. Does Not Map 09.j*

SC.3.182 C038Prevent unauthorized and unintended information transfer via shared system resources.

Does Not Map01.q*01.w*

SC.3.183 C038Deny network communications traffic by default and allow network communica-tions traffic by exception (i.e., deny all, permit by exception).

Does Not Map01.n*09.m

SC.3.184 C038Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

PR.AC-3 01.n*

SC.3.185 C038Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

PR.AC-209.m*09.v09.y

SC.3.186 C038Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

Does Not Map 01.t*

SC.3.187 C038Establish and manage cryptographic keys for cryptography employed in organiza-tional systems.

Does Not Map 10.g*

SC.3.188 C038 Control and monitor the use of mobile code. DE.CM-5 09.k*

SC.3.189 C038 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. Does Not Map 09.m*

SC.3.190 C038 Protect the authenticity of communications sessions. Does Not Map 10.d*

SC.3.191 C038 Protect the confidentiality of CUI at rest. PR.DS-106.d*09.q

SC.3.192 C039 Implement Domain Name System (DNS) filtering services. Does Not Map01.m*01.o

SC.3.193 C039Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

Does Not Map07.c*09.z*

Level 4

SC.4.197 C038Employ physical and logical isolation techniques in the system and security architec-ture and/or where deemed appropriate by the organization.

PR.AC-501.m01.w*

SC.4.199 C039Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.

Does Not Map01.o*05.g*

SC.4.202 C039Employ mechanisms to analyze executable code and scripts (e.g., sandbox) travers-ing Internet network boundaries or other organizationally defined boundaries.

Does Not Map09.k09.m*

SC.4.228 C038Isolate administration of organizationally defined high-value critical network infra-structure components and servers.

PR.AC-501.m01.w*

SC.4.229 C039Utilize a URL categorization service and implement techniques to enforce URL filter-ing of websites that are not approved by the organization.

Does Not Map01.o09.m*

Level 5

SC.5.198 C038Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizationally defined boundaries.

Does Not Map09.m*09.ab

SC.5.208 C039Employ organizationally defined and tailored boundary protections in addition to commercially available solutions.

Does Not Map01.o09.m*



CMMC Practice ID

CMMC Capability ID



SC.5.230 C038 Enforce port and protocol compliance. Does Not Map

01.l06.g06.h10.a10.m*

D17 SYSTEM AND INFORMATION INTEGRITY (SI)

Level 1

SI.1.210 C040Identify, report, and correct information and information system flaws in a timely manner.

RS.CO-2RS.MI-3

10.c*10.m

SI.1.211 C041Provide protection from malicious code at appropriate locations within organiza-tional information systems.

DE.CM-4 09.j*

SI.1.212 C041 Update malicious code protection mechanisms when new releases are available. DE.CM-4 09.j*

SI.1.213 C041Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

DE.CM-409.j*09.k

Level 2

SI.2.214 C040 Monitor system security alerts and advisories and take action in response. RS.AN-5 05.g*

SI.2.216 C042Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

DE.CM-109.m*09.ab

SI.2.217 C042 Identify unauthorized use of organizational systems.DE.CM-1DE.CM-7

06.e09.ab*

Level 3

SI.3.218 C042Employ spam protection mechanisms at information system access entry and exit points.

Does Not Map 09.j*

SI.3.219 C043 Implement email forgery protections. PR.DS-209.j*09.v

SI.3.220 C043 Utilize sandboxing to detect or block potentially malicious email. Does Not Map09.m*09.v

Level 4

SI.4.221 C040Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

ID.RA-2ID.RA-3

05.g*09.ab

Level 5

SI.5.222 C041Analyze system behavior to detect and mitigate execution of normal system com-mands and scripts that indicate malicious actions.

Does Not Map 09.ab*

SI.5.223 C042Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.

DE.CM-1DE.CM-3

06.e09.ab*



Appendix G – NIST Cybersecurity Framework

Mappings are provided for CMMC Practice IDs and HITRUST CSF Control Numbers to the NIST Cybersecurity Framework’s Core

Subcategories.

Table 18. NIST Cybersecurity Framework Core Subcategories with Mappings to CMMC and HITRUST CSF

NIST CsF Element

NIST Cybersecurity Framework Element DescriptionsCMMC Practice

IDHITRUST CSF Control No

ID Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

ID.AMThe data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.

ID.AM-1 Physical devices and systems within the organization are inventoriedAM.4.226CM.2.061CM.2.064

07.a07.d

ID.AM-2 Software platforms and applications within the organization are inventoriedAM.4.226CM.2.061CM.2.064

01.l07.a07.d

ID.AM-3 Organizational communication and data flows are mappedAC.2.016AC.4.023

01.m01.o05.i09.m09.n

ID.AM-4 External information systems are cataloguedAC.1.003AC.2.006

01.i09.e09.n

ID.AM-5Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classifica-tion, criticality, and business value

Does Not Map

01.a01.w06.c07.a07.b07.d12.a12.c12.d

ID-AM-6Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

Does Not Map

00.a01.a02.a02.b02.c02.d02.e05.e05.j05.k07.b07.c07.d09.m09.n10.k10.m11.d12.a12.c12.d12.e

ID.BEThe organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.



NIST CsF Element



ID.BE-1 The organization’s role in the supply chain is identified and communicated Does Not Map05.d09.g10.l

ID.BE-2 The organization’s place in critical infrastructure and its industry sector is identified and communicated Does Not Map05.a12.b

ID.BE-3 Priorities for organizational mission, objectives, and activities are established and communicated Does Not Map

01.w03.a05.a05.b

ID.BE-4 Dependencies and critical functions for delivery of critical services are established Does Not Map08.h12.b12.c

ID.BE-5Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)

Does Not Map

12.a12.b12.c12.d

ID.GVThe policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational require-ments are understood and inform the management of cybersecurity risk.

ID.GV-1 Organizational cybersecurity policy is established and communicated Does Not Map

00.a04.a04.b05.a05.c

ID.GV-2 Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners Does Not Map

04.a05.a05.b05.c05.k

ID.GV-3Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Does Not Map

01.a02.a02.b02.c02.e04.a04.b05.b05.e05.g05.i05.k06.a06.b06.c06.d06.e06.f06.g07.b08.b08.c08.h09.ab09.n09.v09.x09.z10.a10.f11.a11.c11.e12.e



NIST CsF Element



ID.GV-4 Governance and risk management processes address cybersecurity risks Does Not Map

00.a01.a01.q01.w01.x01.y02.e03.a03.b03.d04.a04.b05.a05.d05.g05.h06.a06.c06.i07.b07.d

ID.RAThe organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1 Asset vulnerabilities are identified and documentedRM.2.141RM.2.142

03.b03.d06.h09.ab09.z10.c10.m11.b12.b

ID.RA-2 Cyber threat intelligence is received from information sharing forums and sourcesRM.4.150SA.3.169SI.4.221

05.g10.m03.b03.d07.d12.b

ID.RA-3 Threats, both internal and external, are identified and documentedAT.3.058RM.4.150SI.4.221

03.b03.d07.d10.l12.b

ID.RA-4 Potential business impacts and likelihoods are identified RM.2.141

03.b03.d05.d07.d09.g10.k10.m12.b

ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk RM.3.144

03.b03.d10.k10.m12.b

ID.RA-6 Risk responses are identified and prioritized RM.3.146

03.c06.g06.h10.m

ID.RM The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.



NIST CsF Element



ID.RM-1 Risk management processes are established, managed, and agreed to by organizational stakeholdersCA.4.163RM.3.146

03.a03.b05.a05.h05.i

ID.RM-2 Organizational risk tolerance is determined and clearly expressed Does Not Map03.a05.h

ID.RM-3The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector-spe-cific risk analysis

Does Not Map03.a05.h12.b

ID.SCThe organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with manag-ing supply chain risk. The organization has established and implemented the processes to identify, assess, and manage supply chain risks.

ID.SC-1Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

RM.4.148

05.i05.k09.e09.f09.g

ID.SC-2Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process

RM.4.14805.i09.e09.f

ID.SC-3Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan

Does Not Map05.i05.k09.e

ID.SC-4Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations

Does Not Map05.k09.e09.f

ID.SC-5 Response and recovery planning and testing are conducted with suppliers and third-party providers Does Not Map 12.e

PR Develop and implement appropriate safeguards to ensure delivery of critical services.

PR.ACAccess to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

PR.AC-1Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes

AC.1.001AC.1.002IA.1.076IA.1.077IA.2.078IA.2.079IA.2.080IA.2.081IA.2.082IA.3.083IA.3.084IA.3.085IA.3.086PS.2.128

01.a01.b01.c01.d01.e01.f01.j01.k01.p01.q01.r01.v02.g02.i05.j06.j09.m10.i

PR.AC-2 Physical access to assets is managed and protectedPE.1.131PE.2.135SC.3.185

01.g01.k01.l01.v01.x01.y08.a08.b08.c08.e08.f08.h08.i10.i



NIST CsF Element



PR.AC-3 Remote access is managed

AC.1.001AC.1.002AC.1.003AC.2.013AC.2.015AC.3.014AC.3.020AC.3.021AC.3.022SC.2.178SC.3.184

01.j01.n01.q01.v01.y05.i05.j09.e09.s09.w10.i

PR.AC-4Access permissions and authorizations are managed, incorporating the principles of least privilege and separa-tion of duties

AC.1.001AC.1.002AC.2.007AC.3.017AC.3.018

01.a01.b01.c01.e01.m01.p01.s01.v01.x02.g02.i05.i06.j07.a07.d08.i09.ac09.c09.j09.r09.w09.y09.z10.i

PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation)

AC.2.016AC.4.023SC.1.176SC.4.197SC.4.228

01.m01.n01.o01.w09.m09.w

PR.AC-6 Identities are proofed and bound to credentials and asserted in interactions

AC.1.001AC.1.002AC.3.020IA.1.076IA.1.077IA.2.078IA.2.079IA.2.080IA.2.081IA.3.083IA.3.084IA.3.085IA.3.086

01.b02.b05.k

PR.AC-7Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

AC.2.009IA.1.076IA.1.077IA.2.078IA.2.079IA.2.080IA.2.081IA.3.083IA.3.084IA.3.085IA.3.086

01.a01.b01.d01.f01.j01.k01.p01.q01.r01.t01.u06.d



NIST CsF Element



PR.ATThe organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.

PR.AT-1 All users are informed and trained

AT.2.056AT.2.057AT.4.059AT.4.060

00.a01.f01.g01.p01.x01.y02.d02.e05.c07.c09.j09.s11.b11.c12.c12.d

PR.AT-2 Privileged users understand their roles and responsibilities

AT.2.056AT.2.057AT.4.059AT.4.060

00.a01.q02.d02.e05.c09.z

PR.AT-3 Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities

AT.2.056AT.2.057AT.4.059AT.4.060

00.a02.d05.i05.j05.k06.a09.e09.f09.g09.n09.t09.x10.a10.k10.l

PR.AT-4 Senior executives understand their roles and responsibilities

AT.2.056AT.2.057AT.4.059AT.4.060

00.a02.d02.e05.a

PR.AT-5 Physical and cybersecurity personnel understand their roles and responsibilities

AT.2.056AT.2.057AT.4.059AT.4.060

00.a02.d02.e05.c11.a

PR.DSInformation and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.



NIST CsF Element



PR.DS-1 Data-at-rest is protectedSC.3.177SC.3.191

01.d01.j01.k01.v01.x01.y06.d08.j09.ac09.l09.o09.x09.y09.z10.f10.g10.i12.c

PR.DS-2 Data-in-transit is protectedSC.3.177SI.3.219

01.j01.n01.r01.y05.i06.d08.i09.ac09.l09.m09.s09.t09.u09.v09.x09.y09.z10.d10.f10.g

PR.DS-3 Assets are formally managed throughout removal, transfers, and dispositionCM.2.061CM.2.064MP.1.118

01.y06.c07.a07.b07.d08.k08.l08.m09.e09.p09.q

PR.DS-4 Adequate capacity to ensure availability is maintained Does Not Map09.ac09.h12.c



NIST CsF Element



PR.DS-5 Protections against data leaks are implementedAC.2.016AC.4.023AC.5.024

01.c01.m01.n01.o01.p01.r01.s01.t01.u01.v01.w02.b02.c05.e07.c07.d07.e09.i09.m09.p09.q09.s09.v09.w09.x09.y10.b10.d10.j

PR.DS-6 Integrity checking mechanisms are used to verify software, firmware, and information integrity CM.5.074

09.ab09.ac09.z10.b10.c10.d

PR.DS-7 The development and testing environment(s) are separate from the production environmentCM.2.061CM.2.064

09.d09.k10.h

PR.DS-8 Integrity checking mechanisms are used to verify hardware integrity CM.5.074

01.k05.k08.j08.h10.k

PR.IPSecurity policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

PR.IP-1A baseline configuration of information technology/industrial control systems is created and maintained incorpo-rating security principles (e.g. concept of least functionality)

CM.2.061CM.2.064CM.2.065CM.3.067CM.3.068CM.2.062

01.i01.l01.m01.w01.x01.y06.b07.b09.m09.w09.z10.h10.k

PR.IP-2 A System Development Life Cycle to manage systems is implemented CM.5.074

09.i10.a10.k10.l



NIST CsF Element



PR.IP-3 Configuration change control processes are in placeCM.2.065CM.2.066

01.l01.n09.b09.d10.h10.k

PR.IP-4 Backups of information are conducted, maintained, and tested RE.2.13709.l09.w

PR.IP-5 Policy and regulations regarding the physical operating environment for organizational assets are met Does Not Map

01.g01.y08.d08.e08.f08.g08.h08.i

PR.IP-6 Data is destroyed according to policy Does Not Map08.l08.m09.p

PR.IP-7 Protection processes are improved CA.2.157

00.a03.c05.h06.a11.a12.d12.e

PR.IP-8 Effectiveness of protection technologies is shared Does Not Map05.b05.h

PR.IP-9Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

RE.5.140

11.a11.c12.a12.b12.c12.d12.e

PR.IP-10 Response and recovery plans are tested Does Not Map11.c12.e

PR.IP-11 Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) Does Not Map

01.a01.b01.c01.d02.a02.b02.c02.d02.e02.f02.g02.h02.i05.e05.k06.e07.c11.a11.e12.a

PR.IP-12 Vulnerability management plan is developed and implemented Does Not Map03.c06.h10.m

PR.MA Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.



NIST CsF Element



PR.MA-1 Maintenance and repair of organizational assets are performed and logged, with approved and controlled toolsMA.2.111MA.2.112

01.l08.j

PR.MA-2Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

MA.2.11301.j01.q08.j

PR.PTTechnical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

PR.PT-1 Audit/log records are determined, documented, implemented, and reviewed in accordance with policyAU.2.043AU.2.044AU.4.054

01.c06.c06.i07.b08.b09.aa09.ab09.ac09.ad09.ae09.af09.h09.q10.i10.m

PR.PT-2 Removable media is protected, and its use restricted according to policy

AC.2.006MP.2.119MP.2.120MP.2.121MP.3.122MP.3.123MP.3.124

01.c01.g01.h01.v07.e09.o09.q09.t09.u

PR.PT-3 The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

AC.1.001AC.1.002CM.2.062CM.3.068CM.3.069CM.4.073

01.h01.i01.l01.s01.u01.v06.j10.i10.j10.k10.m

PR.PT-4 Communications and control networks are protected

AC.1.001AC.1.002AC.2.011AC.2.013AC.2.015AC.2.016AC.3.012AC.3.014AC.3.021AC.4.023SC.1.175

01.c01.j01.l01.m01.n01.o01.t01.u09.n

PR.PT-5Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations

Does Not Map

10.a12.a12.b12.c12.d

DE Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

DE.AE Anomalous activity is detected, and the potential impact of events is understood.



NIST CsF Element



DE.AT-1 A baseline of network operations and expected data flows for users and systems is established and managed

AC.4.023AC.5.024CM.2.061CM.2.064

01.i01.l01.m01.n05.i09.m09.n09.w11.d

DE.AE-2 Detected events are analyzed to understand attack targets and methodsIR.2.097RM.4.149

09.ab11.d01.j

DE.AE-3 Event data are collected and correlated from multiple sources and sensorsAU.3.051AU.4.053

09.ab11.c11.c

DE.AE-4 Impact of events is determined RM.2.141

09.e09.m11.d12.a12.b

DE.AE-5 Incident alert thresholds are established Does Not Map 12.d

DE.CM The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

DE.CM-1 The network is monitored to detect potential cybersecurity events

AU.2.041AU.2.042IR.2.093SA.4.171SI.2.216SI.2.217SI.5.223

01.j01.n06.e09.aa09.ab09.ac09.m10.k11.a

DE.CM-2 The physical environment is monitored to detect potential cybersecurity eventsIR.2.093SA.4.171

08.a08.b08.c09.ab

DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events

AU.2.041AU.2.042CM.2.063IR.2.093SA.4.171SI.5.223

01.b01.c06.b06.e08.c09.aa09.ab09.c

DE.CM-4 Malicious code is detected

SA.4.171SI.1.211SI.1.212SI.1.213

08.j09.ab09.j09.k10.l

DE.CM-5 Unauthorized mobile code is detectedSA.4.171SC.3.188

09.k

DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events SA.4.171

05.k09.e09.f09.n09.z10.l



NIST CsF Element



DE-CM-7 Monitoring for unauthorized personnel, connections, devices, and software is performed

AC.5.024AU.2.041AU.2.042RM.4.151SA.4.171SI.2.217

01.x06.g08.a08.b08.c09.ab09.n10.k

DE-CM-8 Vulnerability scans are performed SA.4.171

06.h09.z10.b10.c10.m

DE.DP Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

DE.DP-1 Roles and responsibilities for detection are well defined to ensure accountability Does Not Map

02.a06.g06.i06.j

DE.DP-2 Detection activities comply with all applicable requirements Does Not Map

06.i08.a08.b08.c09.ab

DE.DP-3 Detection processes are testedCA.2.158IR.3.099

08.b09.ab

DE.DP-4 Event detection information is communicated Does Not Map

05.b05.f06.g06.i09.ab09.ae11.a

DE.DP-5 Detection processes are continuously improved CA.3.16109.ab10.b

RS Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

RS.AN Analysis is conducted to ensure effective response and support recovery activities.

RS.AN-1 Notifications from detection systems are investigated Does Not Map

08.b09.ab09.ac11.d

RS.AN-2 The impact of the incident is understood Does Not Map 11.d

RS.AN-3 Forensics are performed AU.3.05211.c11.d11.e

RS.AN-4 Incidents are categorized consistent with response plans Does Not Map 11.c

RS.AN-5Processes are established to receive, analyze, and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

SI.2.214 10.m

RS.CO Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).

RS.CO-1 Personnel know their roles and order of operations when a response is needed Does Not Map

02.e11.a11.c12.c12.d12.e

RS-CO-2 Incidents are reported consistent with established criteriaIR.2.093IR.3.098

05.f09.ab10.c11.a11.b11.c



NIST CsF Element



RS.CO-3 Information is shared consistent with response plans IR.3.098

05.f05.g08.b09.ab10.m11.a11.c11.d

RS.CO-4 Coordination with stakeholders occurs consistent with response plans Does Not Map

09.f11.c11.d12.c

RS.CO-5Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

Does Not Map

03.b05.g06.a11.a11.c

RS.IM Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

RS.IM-1 Response plans incorporate lessons learned CA.4.16311.c11.d

RS.IM-2 Response strategies are updated CA.4.16311.c11.d

RS.MI Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.

RS.MI-1 Incidents are contained Does Not Map01.b11.c11.d

RS.MI-2 Incidents are mitigated Does Not Map

01.b09.f10.a11.c11.d

RS.MI-3 Newly identified vulnerabilities are mitigated or documented as accepted risksRM.2.141RM.2.143SI.1.210

03.a03.c06.h10.c10.m

RS.RP Response processes and procedures are executed and maintained to ensure response to detected cybersecurity incidents.

RS.RP-1 Response plan is executed during or after an incidentIR.2.092IR.2.095

11.a11.c11.d

RCDevelop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

RC.CORestoration activities are coordinated with internal and external parties (e.g., coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

RC.CO-1 Public relations are managed Does Not Map11.c11.d

RC.CO-2 Reputation is repaired after an incident Does Not Map 11.c

RC.CO-3Recovery activities are communicated to internal and external stakeholders as well as executive and manage-ment teams

Does Not Map11.d12.c

RC.IM Recovery planning and processes are improved by incorporating lessons learned into future activities.

RC.IM-1 Recovery plans incorporate lessons learned CA.4.16311.d12.e

RC.IM-2 Recovery strategies are updated CA.4.16311.d12.e

RC.RP Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.

RC.RP-1 Recovery plan is executed during or after a cybersecurity incident Does Not Map11.d12.c



NIST CsF Element



NOT MAPPED

AC.1.004AC.2.005AC.2.008AC.2.010AC.3.019AC.4.025AC.4.032AM.3.036AU.3.045AU.3.046AU.3.048AU.3.049AU.3.050AU.5.055CA.2.159CA.3.162CA.4.164IR.2.094IR.4.101IR.5.102IR.5.108IR.5.110MA.2.114MA.3.115MA.3.116MP.3.125PE.1.132PE.1.133PE.1.134PE.3.136PS.2.127RE.2.138RE.3.139RM.3.147RM.4.148RM.5.152RM.5.155SA.4.173SC.2.179SC.3.180SC.3.181SC.3.182SC.3.183SC.3.186SC.3.187SC.3.189SC.3.190SC.3.192SC.3.193SC.4.199SC.4.202SC.4.229SC.5.198SC.5.208SC.5.230SI.3.218SI.3.220SI.5.222

None



Appendix H – References

.

.i U.S. Executive Office of the President, Council of Economic Advisers, CEA (2018, Feb). The Cost of Malicious Cyber Activity to the U.S. Economy.

Available from https://www.whitehouse.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf.ii Center for Strategic and International Studies and McAfee (2018, Feb). Economic Impact of Cybercrime - No Slowing Down. Available from

https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-economic-impact-cybercrime.pdf.iii Carnegie Mellon University Software Engineering Institute (2020, Mar). CMMC—Securing the DIB Supply Chain. Available from

https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_ datapageid_4050=205766.iv Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC (2020a, 18 Mar). Cybersecurity Maturity Model

Certification (CMMC), Version 1.02, p. 1. Available from https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf.v HITRUST (2020a). The HITRUST Approach. Frisco, TX: Author. Available from https://hitrustalliance.net/the-hitrust-approach/.vi Joint Task Force Transformation Initiative, JTF TI (2012, Sep). Guide for Conducting Risk Assessments (NIST SP 800-30, Revision 1). Gaithersburg,

MD: Author. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.vii NIST (2004, Feb). Standards for Security Categorization of Federal Information and Information Systems (FIPS Pub 199). Gaithersburg, MD: Au-

thor. Available from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf.viii JTF TI (2013, Apr). Security and Privacy Controls for Federal Information Systems (NIST SP 800-53 Revision 4). Gaithersburg, MD: NIST. Available

from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.ix Centers for Medicare and Medicaid Services, CMS (2017a). CMS Acceptable Risk Safeguards (ARS) (CMS_CIO-STD-SEC01-3.0). Baltimore, MD:

Author. Available from

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/

ARS-30-Publication.html.x CMS (2015b). Volume III: Catalog of Minimum Acceptable Risk Security and Privacy Controls for Exchanges (MARS-E Document Suite, Version

2.0). Baltimore, MD: Author. Available from

https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/Downloads/3-MARS-E-v2-0-Catalog-of-Security-and-Privacy-Controls-11102015.

pdf.xi FedRAMP (2017, 15 Nov). FedRAMP Security Assessment Framework, v2.4. Available from

https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Assessment_Framework.pdf.xii HITRUST (2019, Nov). HITRUST CSF Version 9.3.1. Frisco, TX: Author. Available from https://hitrustalliance.net/csf-license-agreement/.xiii ISO/IEC (2005, Oct 15). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC

27001:2005). Geneva: Author. Available from https://www.iso.org/standard/42103.html.xiv California Consumer Privacy Act, Cal. Civ. Code § 1798.100 - 1798.199 (2018). Available from

https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=.xv The Health Insurance Portability and Accountability Act, 45 C.F.R. Parts 160, 162, and 164 (1996). Administrative simplification available from

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.xvi General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council (2016, Apr 27). Available from

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679& from=EN.xvii ISO/IEC (2013, Oct). Information technology—Security techniques—Code of practice for information security controls. Geneva: Author. Avail-

able from https://www.iso.org/standard/54533.html.xviii PCI Security Standards Council. (2018, May). Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Proce-

dures, Version 3.2.1. Available from https://www.pcisecuritystandards.org/document_library.xix Cloud Security Alliance (2020, May 7). Cloud Control Matrix (CCM v3.0.1). Available from

https://cloudsecurityalliance.org/artifacts/ccm-translation-in-10-languages/.xx HITRUST (2019a, Oct). Introduction to the HITRUST CSF, Version 9.3. Available from

https://hitrustalliance.net/content/uploads/CSFv9.3_Introduction.pdf.xxi Cline, B. (2018, Feb). HITRUST CSF Risk Factors: How HITRUST uses risk factors to help healthcare organizations dynamically tailor CSF controls

to meet their information protection needs. Frisco, TX: HITRUST. Available from https://hitrustalliance.net/content/uploads/RiskAnalysisGuide.pdf.xxii JTF TI (2012, Sep), p. 8.xxiii JTF TI (2012, Sep), p. 10.xxiv HITRUST (2020b). CSF Assurance Program. Available from https://hitrustalliance.net/csf-assurance/.xxv HITRUST (2019a, Oct).xxvi Cline, B., Huval, J., and Sheth, B. (2019b, Oct). Evaluating Control Maturity Using the HITRUST Approach: Quasi-quantitative scoring based on

the HITRUST CSF security and privacy control implementation maturity model. Frisco, TX: HITRUST. Available from

https://hitrustalliance.net/content/uploads/Evaluating-Control-Maturity-Using-the-HITRUST-Approach.pdf.

https://www.whitehouse.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf

https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-economic-impact-cybercrime.pdf

https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_ datapageid_4050=205766

https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf

https://hitrustalliance.net/the-hitrust-approach/

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/ARS-30-Publication.html

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/ARS-30-Publication.html

https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/Downloads/3-MARS-E-v2-0-Catalog-of-Security-and-Privacy-Controls-11102015.pdf

https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/Downloads/3-MARS-E-v2-0-Catalog-of-Security-and-Privacy-Controls-11102015.pdf

https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Assessment_Framework.pdf

https://hitrustalliance.net/csf-license-agreement/

https://www.iso.org/standard/42103.html

https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679& from=EN

https://www.iso.org/standard/54533.html

https://www.pcisecuritystandards.org/document_library

https://cloudsecurityalliance.org/artifacts/ccm-translation-in-10-languages/

https://hitrustalliance.net/content/uploads/CSFv9.3_Introduction.pdf

https://hitrustalliance.net/content/uploads/RiskAnalysisGuide.pdf

https://hitrustalliance.net/csf-assurance/

https://hitrustalliance.net/content/uploads/Evaluating-Control-Maturity-Using-the-HITRUST-Approach.pdf



xxvii Bowen, P. and Kissel, R. (2007, Jan). Interagency Report (IR) 7358, Program Review of Information Security Management Assistance (PRISMA)

(NISTIR 7358). Gaithersburg, MD: Author. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7358.pdf.xxviii CMMI Institute (2020). Introducing CMMI V2.0. Available from https://cmmiinstitute.com/cmmi.xxix Bowen, P. and Kissel, R. (2007, Jan), p. 2.xxx NIST (2020). Program Review for Information Security Assistance: Security maturity Levels. Available from

https://csrc.nist.gov/Projects/Program-Review-for-Information-Security-Assistance/Security-Maturity-Levels.xxxi AICPA (2020). About the AICPA. Available from https://www.aicpa.org/about.html.xxxii Forrester Consulting (2017, Feb). Stop the Breach: Reduce the likelihood of an Attack through an IAM Maturity Model: A Forrester Consulting

Thought Leadership Paper, p. 1. Available from https://www.centrify.com/media/4594046/stop-the-breach.pdf.xxxiii Merriam-Webster (2020). Dictionary: Assurance. Available from https://www.merriam-webster.com/dictionary/assurance.xxxiv Merriam-Webster (2020). Dictionary: Assure. Available from https://www.merriam-webster.com/dictionary/assure.xxxv Cline, B. and Tallman, N. (2019). How Do I Know if an Assurance Report is Rely-Able? Frisco, TX: HITRUST. Available from

https://hitrustalliance.net/content/uploads/How-Do-You-Know-if-a-CSF-Assurance-Report-is-Rely-able.pdf.xxxvi NIST (2018, Apr). Framework for Improving Critical Infrastructure Cybersecurity, v1.1. Gaithersburg, MD: NIST. Available from

https://doi.org/10.6028/NIST.CSWP.04162018.xxxvii NIST (2020). Cybersecurity Framework: Informative Reference Catalogue. Available from

https://csrc.nist.gov/Projects/Cybersecurity-Framework/Informative-Reference-Catalog.xxxviii Critical Infrastructure Partnership Advisory Council Joint Healthcare and Public Health Cybersecurity Working Group (2016, May). Healthcare

Sector Cybersecurity Framework Implementation Guide (Version 1.1). Available from

https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf.xxxix Cybersecurity & Infrastructure Security Agency, CISA (2020). Cybersecurity Framework: Cybersecurity Framework Guidance. Available from

https://www.us-cert.gov/ccubedvp/cybersecurity-framework.xl Federal Acquisition Regulation, 48 CFR § 252.204-7012 (DFARS) (2019, Dec). Safeguarding covered defense information and cyber incident

reporting. Available from https://www.law.cornell.edu/cfr/text/48/252.204-7012.xli Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., and Guissanie, G. (2020, Feb). Protecting Controlled Unclassified Information in Nonfederal Sys-

tems and Organizations (NIST SP 800-171 R2). Gaithersburg, MD: NIST. Available from

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf.xlii CMU and JHU APL (2020a).xliii Federal Acquisition Regulation, 48 C.F.R. § 52.204-21 (2016, Oct). Basic Safeguarding of Covered Contractor Information Systems. Available

from https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-informa-

tion-systems.xliv Ross, R., et al. (2020, Feb).xlv CMU and JHU APL (2020b, 18 Mar). CMMC Appendices, Version 1.02. Available from

https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf.xlvi InsideCybersecurity (2020, May 12). Pentagon gives companies credit for existing certifications under new contractor cybersecurity program.

Available from

https://insidecybersecurity.com/daily-news/pentagon-give-companies-credit-existing-certifications-under-new-contractor-cybersecurity.xlvii Ross, R., et al. (2020, Feb), p. 84.xlviii HITRUST (2019, Oct). HITRUST Glossary of Terms and Acronyms, Version 4. Frisco, TX: Author. Available from

https://hitrustalliance.net/content/uploads/HITRUST-Glossary-of-Terms-and-Acronyms.pdf.

https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7358.pdf

https://cmmiinstitute.com/cmmi

https://csrc.nist.gov/Projects/Program-Review-for-Information-Security-Assistance/Security-Maturity-Levels

https://www.aicpa.org/about.html

https://www.centrify.com/media/4594046/stop-the-breach.pdf

https://www.merriam-webster.com/dictionary/assurance

https://www.merriam-webster.com/dictionary/assure

https://hitrustalliance.net/content/uploads/How-Do-You-Know-if-a-CSF-Assurance-Report-is-Rely-able.pdf

https://doi.org/10.6028/NIST.CSWP.04162018

https://csrc.nist.gov/Projects/Cybersecurity-Framework/Informative-Reference-Catalog

https://www.us-cert.gov/sites/default/files/c3vp/framework_guidance/HPH_Framework_Implementation_Guidance.pdf

https://www.us-cert.gov/ccubedvp/cybersecurity-framework

https://www.law.cornell.edu/cfr/text/48/252.204-7012

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems

https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems

https://csrc.nist.gov/glossary/term/security_controls

https://insidecybersecurity.com/daily-news/pentagon-give-companies-credit-existing-certifications-under-new-contractor-cybersecurity


855.HITRUST

(855.448.7878)

www.HITRUSTAlliance.net

http://www.HITRUSTalliance.net

the department of defense (dod) cybersecurity maturity ... · shared as is in full, in any form or...

Documents